Versions Compared

Old Version 41

changes.mady.by.user Henrik Krohns

Saved on

compared with

New Version Current

changes.mady.by.user Bill Cole

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixed link to dnsbl-block anchor in FAQ

...

NOTE: A local DNS caching server should not forward to other DNS servers to ensure your queries are not combined with others. Forwarding to other DNS servers often results in URIBL_BLOCKED or similar rule hits meaning you have gone over their free usage limit. More info about this can be found in FAQ.

Wikipedia DNS Server feature matrix

...

  1. Rsync the feed files into /var/lib/rbldnsd

  2. List the feed files in /etc/systemd/system/rbldnsd-dsbl.service

    No Format
    
.include /etc/systemd/rbldnsd.conf

[Unit]
Description=DNSBL (rbldnsd) dsbl instance

[Service]
ExecStart=/sbin/rbldnsd -n -f -r /var/lib/rbldnsd -b 127.0.0.1/530 dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net


  3. Enable and start the service

    No Format
    
systemctl enable rbldnsd-dsbl
systemctl start rbldnsd-dsbl


  4. rbldnsd should now be listening on port 530

    No Format
    
# netstat -tunlap | grep rbldns
udp        0      0 127.0.0.1:530           0.0.0.0:*                           901/rbldnsd


  5. Setup your main DNS caching server to forward to rbldnsd. This is an example for PowerDNS recursor:

    • /etc/pdns-recursor/recursor.conf

      No Format
      
forward-zones-file=/etc/pdns-recursor/forward-zones


    • /etc/pdns-recursor/forward-zones

      No Format
      
dul.dnsbl.sorbs.net=127.0.0.1:530
http.dnsbl.sorbs.net=127.0.0.1:530
smtp.dnsbl.sorbs.net=127.0.0.1:530
new.spam.dnsbl.sorbs.net=127.0.0.1:530
dnsbl-1.uceprotect.net=127.0.0.1:530


...

SpamAssassin local.cf

No Format

dns_available yes

/etc/resolv.conf

No Format

search example.com
nameserver 127.0.0.1

NOTE: If something like NetworkManager is reverting your changes in /etc/resolv.conf or you don't have permission to update the /etc/resolv.conf, you may specify a DNS server in the local.cf:

No Format

dns_server 127.0.0.1

Testing

...

  1. not have proper connectivity outbound to the Internet - a firewall could be blocking UDP/TCP 53
  2. have reached the free usage limit of the DNSBlockList - remove the "+short" to see more detail in the ANSWER section
  3. may not be configured correctly - search for articles on how to setup your specific DNS caching server on your specific OS

Spamhaus Zen:

No Format

dig +short 2.0.0.127.zen.spamhaus.org
127.0.0.10
127.0.0.4
127.0.0.2

SORBS DUL:

No Format

# dig 2.0.0.127.dul.dnsbl.sorbs.net +short
127.0.0.10

URIBL:

No Format

dig test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"

If you don't get the permanent testpoint response above, then you are most likely also hitting the URIBL_BLOCKED rule. Check your mail logs. If you are a major mail filtering provider with high volume, then you may have to disable the following rules in the local.cf or you might just get an email from them with pricing information:

No Format

score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

...