• djbdns, which provides the rbldns programm.
  • the system accounts Grbldns and Gdnslog.
  • ?secure service setup via runit. This is facilitated by djbdns itself.



White/Blacklist DNS services must be delegated subdomains. We use for our private smtp whitelist. Each incoming smtp server runs its own rbldns instance for whitelisting. The zone data is synchronized from a central place.

The zone data is:


However, we shortcut resolution of the whitelist on the internal dnscache:


echo > /etc/dnscache/root/servers/
sv restart dnscache


sudo -i

rbldns-conf Grbldns Gdnslog /etc/wldns
cd /etc/wldns || cat >&2
chgrp -R staff root
chmod -R g+w root
chmod g+s root
tail -F log/main/current&
ln -s `pwd` /service

After verifying that the service started with a line like:

@400000005c2b7df728e15adc starting rbldns

the log viewer can be terminated.

Now create the zone data:

cd /etc/wldns/root || cat >&2
# Paste the whitelist data
cat > data



  • 53 is the DNS port number, 119 the ASCII code for ‘w’ – alias whitelist, 1 the first whitelist server on this system.

  • Technically neither the delegation nor the use of a valid subdomain is required when using the resolution shortcut. However it is an auto-documenting and failover practice.

  • Only because of the whitelist server listening on the local interface we can shortcut resolution on the internal cache.

  • Since the shortcut does not generate external traffic we also do not need to use the external cache.

  • Tests will only succeed with A and TXT queries on, where # is 0 - 255. Any other query will not be answered by rbldns. Try the test record:

  • Since this is a private service the TXT record need not point to a website. In compliance with DNSxL the first lines of the data file read:

    : private Email IP whitelist