...
NOTE: A local DNS caching server should not forward to other DNS servers to ensure your queries are not combined with others. Forwarding to other DNS servers often results in URIBL_BLOCKED or similar rule hits meaning you have gone over their free usage limit. More info about this can be found in FAQ.
Wikipedia DNS Server feature matrix
...
- Rsync the feed files into /var/lib/rbldnsd
List the feed files in /etc/systemd/system/rbldnsd-dsbl.service
No Format .include /etc/systemd/rbldnsd.conf [Unit] Description=DNSBL (rbldnsd) dsbl instance [Service] ExecStart=/sbin/rbldnsd -n -f -r /var/lib/rbldnsd -b 127.0.0.1/530 dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net
Enable and start the service
No Format systemctl enable rbldnsd-dsbl systemctl start rbldnsd-dsbl
rbldnsd should now be listening on port 530
No Format # netstat -tunlap | grep rbldns udp 0 0 127.0.0.1:530 0.0.0.0:* 901/rbldnsd
- Setup your main DNS caching server to forward to rbldnsd. This is an example for PowerDNS recursor:
/etc/pdns-recursor/recursor.conf
No Format forward-zones-file=/etc/pdns-recursor/forward-zones
/etc/pdns-recursor/forward-zones
No Format dul.dnsbl.sorbs.net=127.0.0.1:530 http.dnsbl.sorbs.net=127.0.0.1:530 smtp.dnsbl.sorbs.net=127.0.0.1:530 new.spam.dnsbl.sorbs.net=127.0.0.1:530 dnsbl-1.uceprotect.net=127.0.0.1:530
...
SpamAssassin local.cf
No Format |
---|
dns_available yes
|
/etc/resolv.conf
No Format |
---|
search example.com
nameserver 127.0.0.1
|
NOTE: If something like NetworkManager is reverting your changes in /etc/resolv.conf or you don't have permission to update the /etc/resolv.conf, you may specify a DNS server in the local.cf:
No Format |
---|
dns_server 127.0.0.1
|
Testing
...
- not have proper connectivity outbound to the Internet - a firewall could be blocking UDP/TCP 53
- have reached the free usage limit of the DNSBlockList - remove the "+short" to see more detail in the ANSWER section
- may not be configured correctly - search for articles on how to setup your specific DNS caching server on your specific OS
Spamhaus Zen:
No Format |
---|
dig +short 2.0.0.127.zen.spamhaus.org
127.0.0.10
127.0.0.4
127.0.0.2
|
SORBS DUL:
No Format |
---|
# dig 2.0.0.127.dul.dnsbl.sorbs.net +short
127.0.0.10
|
URIBL:
No Format |
---|
dig test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"
|
If you don't get the permanent testpoint response above, then you are most likely also hitting the URIBL_BLOCKED rule. Check your mail logs. If you are a major mail filtering provider with high volume, then you may have to disable the following rules in the local.cf or you might just get an email from them with pricing information:
No Format |
---|
score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0
|
...