Differences between revisions 27 and 28
Revision 27 as of 2012-03-21 15:03:29
Size: 10263
Editor: Darxus
Comment: A little more detail on non-forwarding, with a heading
Revision 28 as of 2014-03-17 11:28:32
Size: 11353
Editor: MikeBrown
Comment: In BIND, you can disable forwarding for just the DNSBL zones
Deletions are marked like this. Additions are marked like this.
Line 225: Line 225:
If you have a large ISP or are using large public DNS provider(s) it is recommended you ''not'' forward mail-related DNS traffic through their DNS servers (though non-mail DNS traffic from your site shouldn't have problems.) With bind, this means not having any "forwarders" listed. If you have a large ISP or are using large public DNS provider(s) it is recommended you ''not'' forward mail-related DNS traffic through their DNS servers (though non-mail DNS traffic from your site shouldn't have problems.) With bind, this means not having any "forwarders" listed. Or, at a minimum, you could create exemptions by defining empty forwarders for DNSBL zones, like this:

{{{
/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; };
zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };
}}}

Caching Nameserver

Often SpamAssassin users will find that their system is performing many DNS (Domain Name System) lookups. There are many NetworkTests in the suite of tests. The network tests significantly enhance the ability of SpamAssassin to correctly catagorize messages. One of the main network tests is to look up domain names in the DnsBlocklists.

The DNS lookups can create a lot of network activity. There are a few times when this can cause performance issues. This question is often raised on the SpamAssassin MailingLists.

  • For users behind slow network connections the latency of the lookup can slow down the catagorization process.
  • For large sites processing many mail messages the volume of lookups can be a problem.

Often the same information is being looked up again and again. Needing to do a completely lookup of the same data repeatedly is inefficient.

The standard solution is to install a local caching nameserver to cache repeated DNS requests. This will significantly reduce network traffic due to DNS lookups. This improves system efficiency.

Installing BIND as a Caching Nameserver

This section describes installing BIND (Berkeley Internet Name Domain) in a caching configuration on the system. BIND is the standard nameserver in use on the Internet today. More internet servers run BIND than any other nameserver daemon. Several alternative DNS nameservers in common use are described in their own sections below.

Debian GNU/Linux

The Debian system uses APT (Advanced Package Tool) to manage the system. The following commands will install BIND (Berkeley Internet Name Daemon) version 9 on the system.

apt-get update
apt-get install bind9

The default configuration for the Debian package is install a caching nameserver suitable for Internet use. After installation the daemon will be configured and running.

Red Hat and Fedora Core GNU/Linux

On Red Hat and Fedora Core systems the BIND software is in the "bind" rpm package. The "caching-nameserver" rpm package contains a caching nameserver configuration suitable for Internet use. Locate those packages from your vendor and install them. The http://rpmfind.net rpm search site is very useful for locating rpms for your system.

On Red Hat the following commands will install BIND and a caching nameserver configuration on the system. The version numbers used in the following example are purely for example. Use the current package version for your system release. This example shows a typical installation on RH9.

After installation the daemon will need to be configured and started. The following commands will configure the BIND name daemon to be started at system boot time and then will start the daemon.

rpm -Uvh bind-9.2.1-16.i386.rpm
rpm -Uvh caching-nameserver-7.2-7.i386.rpm
chkconfig named on
service named start

If you have yum installed, you can use the following commands to install and enable the latest caching nameserver package. yum will take care of installing any dependencies (including the BIND named package) required.

yum install caching-nameserver
chkconfig named on
service named start

BIND Resources

Installing dnsmasq as a Caching Nameserver

dnsmasq is a small DNS server (also includes a lightweight DHCP server).

If you further guides to the commands required to install this on a typical system, please edit this page and fill out this section.

dnsmasq Resources

Gentoo Linux

On Gentoo the dnsmasq package is called "net-dns/dnsmasq".

emerge net-dns/dnsmasq
rc-update add add dnsmasq default

The daemon can be configured with the files /etc/conf.d/dnsmasq and /etc/dnsmasq.conf.

Installing djbdns as a Caching Nameserver

djbdns/tinydns is D. J. Bernstein's DNS daemon.

If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.

Debian GNU/Linux

To install djbdns on Debian you need to fetch (with apt for example) the packages "daemontools-installer" and "djbdns-installer". What this packages will do is fetch the source code, compile it, and create Debian packages both for daemontools and djbdns. After installing those packages, you can issue the commands "build-daemontools" and "build-djbdns" which will create the final debian packages and prompt for installation. Example:

apt-get update
apt-get install djbdns-installer daemontools-installer
build-daemontools
build-djbdns

Note that you may keep and reuse (just not redistribute) the debian packages created with the installer packages.

After installing djdbs, you need to create the "dnscache" instance under /service. Suposing you want the cache to listen on the loopback device, you would do:

dnscache-conf dnscache dnslog /service/dnscache 127.0.0.1

Installing rbldnsd as a Caching Nameserver

rbldnsd is a small and fast DNS daemon written by Michael Tokarev which is especially made to serve DNSBL zones. This daemon was inspired by Dan J. Bernstein's rbldns program found in the djbdns package. The SURBL links page under "Mirroring RBL zone files locally" references several How-Tos for setting up rbldnsd and rsnyc in different environments including FreeBSD, Solaris, etc. NJABL also has a document about setting up rbldnsd and rsync for use with RBLs.

rbldnsd uses far less memory and CPU, and is much quicker in responding to queries than BIND. Those are reasons why rbldnsd is widely used for public and private mirroring of RBL zone files. A common rule of thumb is that the overhead of doing rbldnsd and rsync becomes worthwhile for mail systems that process more than 100,000 messages per day. Some RBLs impose a minimum daily message count before allowing rsync access for local mirroring of their zone files. Some RBLs charge a subscription fee for access. Others don't. Please check with the RBL operators as appropriate.

If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.

Setting up the system to use the Caching Nameserver

GNU C library configuration

For the current glibc version 6 the host lookup ordering is configured in the /etc/nsswitch.conf file. The typical configuration would specify the local system file first and the network DNS database second.

hosts:          files dns

The older glibc version 5 library configured host lookup ordering in the /etc/host.conf. This library is now obsolete. But your system will probably provide this file for compatibility to enable older programs linked against the older library.

order hosts,bind

/etc/resolv.conf

The /etc/resolv.conf file configures the nameserver used to look up DNS data. A typical system contains a search line to specify the local domain. It also contains up to three nameserver lines to configure nameservers. Because we are setting up a local caching nameserver only one entry is needed. The 0.0.0.0 entry specifies that the nameserver on the local host will be contacted for DNS lookups.

search example.com
nameserver 0.0.0.0

Note that if your host uses a client configuration with DHCP to configure networking that this file may be overwritten by the DHCP client on the local host every time the network is enabled. See your DHCP documentation for more information.

/etc/hosts

The /etc/hosts file is the original location for DNS data. However it is not used generally for DNS lookups on modern systems. It is impossible to keep the entire Internet database there. But it is still used for a small amount of local system data.

Typically the localhost loopback address is stored there and nothing more. However it is acceptable to configure a small number of local network systems there and that is typical on small network sites. Here is an example /etc/hosts file.

127.0.0.1       localhost

Using only your ISP DNS servers

Sometimes is better to always use your ISP DNS servers, because you may have a faster connection to your ISP's DNS servers than to the DNS Root servers and it helps create a large site-wide cache and reduces traffic to outside nameservers.

Here are the BIND named.conf options to only resolve using your ISP DNS Servers, the response is always cached in your local DNS Caching server:

options {
...
  forward only;
  forwarders {
    IP_DNS_1;
    IP_DNS_2;
  };
...
};

However, if you have a large ISP or are using a public DNS server having many users who are also doing DNSBL lookups, and the ISP / DNS host has not registered with the DNSBL provider as a paid client, the aggregate traffic from those nameservers may exceed the free usage limits imposed by the DNSBL provider and lookups may start returning invalid results. This could lead to large numbers of incorrectly-classified messages.

Non-forwarding

If you have a large ISP or are using large public DNS provider(s) it is recommended you not forward mail-related DNS traffic through their DNS servers (though non-mail DNS traffic from your site shouldn't have problems.) With bind, this means not having any "forwarders" listed. Or, at a minimum, you could create exemptions by defining empty forwarders for DNSBL zones, like this:

/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; };
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; };
zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };

CachingNameserver (last edited 2014-03-17 11:28:32 by MikeBrown)