Requirements
- djbdns, which provides the
rbldnsprogramm. - the system accounts
GrbldnsandGdnslog. - ?secure service setup via runit. This is facilitated by djbdns itself.
Optional:
Delegation
White/Blacklist DNS services must be delegated subdomains. We use
wl.magma-soft.at for our private smtp whitelist. Each incoming smtp
server runs its own rbldns instance for whitelisting. The zone data
is synchronized from a central place.
The zone data is:
&wl.magma-soft.at::wlns.magma-soft.at
+wlns.magma-soft.at:127.53.119.1
However, we shortcut resolution of the whitelist on the internal dnscache:
?shnippet:
echo 127.53.119.1 > /etc/dnscache/root/servers/wl.magma-soft.at
sv restart dnscache
Setup
sudo -i
rbldns-conf Grbldns Gdnslog /etc/wldns 127.53.119.1 wl.magma-soft.at
cd /etc/wldns || cat >&2
chgrp -R staff root
chmod -R g+w root
chmod g+s root
tail -F log/main/current&
ln -s `pwd` /service
After verifying that the service started with a line like:
@400000005c2b7df728e15adc starting rbldns
the log viewer can be terminated.
Now create the zone data:
cd /etc/wldns/root || cat >&2
# Paste the whitelist data
cat > data
make
Notes
127.53.119.1:53is the DNS port number,119the ASCII code for ‘w’ – alias whitelist,1the first whitelist server on this system.Technically neither the delegation nor the use of a valid subdomain is required when using the resolution shortcut. However it is an auto-documenting and failover practice.
Only because of the whitelist server listening on the local interface we can shortcut resolution on the internal cache.
Since the shortcut does not generate external traffic we also do not need to use the external cache.
Tests will only succeed with A and TXT queries on
#.#.#.#.wl.magma-soft.at, where#is 0 - 255. Any other query will not be answered byrbldns. Try the test record:1.0.0.127.wl.magma-soft.at.Since this is a private service the
TXTrecord need not point to a website. In compliance with DNSxL the first lines of the data file read::127.0.0.2:MagmaSoft private Email IP whitelist 127.0.0.2