You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 34 Next »

Installing a Local Caching Nameserver

SpamAssassin will perform many DNS lookups for NetworkTests to significantly improve scoring of messages primarily by DNSBlocklists like Spamhaus, SORBS, etc. This information needs to be cached locally to improve performance and limit the number of DNS queries since some DNSBlockLists have limits on free usage.

NOTE: A local DNS caching server should not forward to other DNS servers to ensure your queries are not combined with others. Forwarding to other DNS servers often results in URIBL_BLOCKED rule hits meaning you have gone over their free usage limit.

Wikipedia DNS Server feature matrix

Dnsmasq should not be used by SpamAssassin since it can only forward to other DNS servers.

UNBOUND

Packaging varies slightly between distributions so refer Internet articles for details and current information for your OS version. The default configuration files should give us a desired caching non-forwarding DNS server listening locally only.

Debian/Ubuntu:

apt-get update
apt-get install unbound

RHEL/CentOS:

yum install unbound
chkconfig unbound on
service unbound start

Fedora:

dnf install unbound
systemctl enable unbound
systemctl start unbound

PowerDNS Recursor

Default PowerDNS Recursor installs should be the desired non-forwarding caching only DNS server listening only on localhost. Refer to other online articles for details about the config files and settings specific to your OS version.

Debian/Ubuntu:

apt-get update
apt-get install pdns-recursor

RHEL/CentOS:

yum install pdns-recursor
chkconfig pdns-recursor on
service pdns-recursor start

Fedora:

dnf install pdns-recursor
systemctl enable pdns-recursor
systemctl start pdns-recursor

BIND

Debian/Ubuntu:

apt-get update
apt-get install bind9

RHEL/CentOS:

yum install bind bind-utils
chkconfig named on
service named start

Fedora:

dnf install bind bind-utils
systemctl enable named
systemctl start named

djbdns

djbdns/tinydns is D. J. Bernstein's DNS daemon.

If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.

Debian:
To install djbdns on Debian you need to fetch (with apt for example) the packages "daemontools-installer" and "djbdns-installer". What this packages will do is fetch the source code, compile it, and create Debian packages both for daemontools and djbdns. After installing those packages, you can issue the commands "build-daemontools" and "build-djbdns" which will create the final debian packages and prompt for installation. Example:

apt-get update
apt-get install djbdns-installer daemontools-installer
build-daemontools
build-djbdns

Note that you may keep and reuse (just not redistribute) the debian packages created with the installer packages.

After installing djdbs, you need to create the "dnscache" instance under /service. Supposing you want the cache to listen on the loopback device, you would do:

dnscache-conf dnscache dnslog /service/dnscache 127.0.0.1

rbldnsd

rbldnsd is a small and fast DNS daemon written by Michael Tokarev which is especially made to serve DNSBL zones. This daemon was inspired by Dan J. Bernstein's rbldns program found in the djbdns package. The SURBL links page under "Mirroring RBL zone files locally" references several How-Tos for setting up rbldnsd and rsnyc in different environments including FreeBSD, Solaris, etc. NJABL also has a document about setting up rbldnsd and rsync for use with RBLs.

rbldnsd uses far less memory and CPU, and is much quicker in responding to queries than BIND. Those are reasons why rbldnsd is widely used for public and private mirroring of RBL zone files. A common rule of thumb is that the overhead of doing rbldnsd and rsync becomes worthwhile for mail systems that process more than 100,000 messages per day. Some RBLs impose a minimum daily message count before allowing rsync access for local mirroring of their zone files. Some RBLs charge a subscription fee for access. Others don't. Please check with the RBL operators as appropriate.

If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.

Using the Local Caching Nameserver

SpamAssassin local.cf

dns_available yes

/etc/resolv.conf

search example.com
nameserver 127.0.0.1

NOTE: Make sure DHCP is not changing the nameserver setting in the /etc/resolv.conf away from 127.0.0.1.

  • No labels