Requirements

  • djbdns, which provides the rbldns programm.
  • the system accounts Grbldns and Gdnslog.
  • ?secure service setup via runit. This is facilitated by djbdns itself.

Optional:

Delegation

White/Blacklist DNS services must be delegated subdomains. We use wl.magma-soft.at for our private smtp whitelist. Each incoming smtp server runs its own rbldns instance for whitelisting. The zone data is synchronized from a central place.

The zone data is:

&wl.magma-soft.at::wlns.magma-soft.at
+wlns.magma-soft.at:127.53.119.1

However, we shortcut resolution of the whitelist on the internal dnscache:

?shnippet:

echo 127.53.119.1 > /etc/dnscache/root/servers/wl.magma-soft.at
sv restart dnscache

Setup

sudo -i

rbldns-conf Grbldns Gdnslog /etc/wldns 127.53.119.1 wl.magma-soft.at
cd /etc/wldns || cat >&2
chgrp -R staff root
chmod -R g+w root
chmod g+s root
tail -F log/main/current&
ln -s `pwd` /service

After verifying that the service started with a line like:

@400000005c2b7df728e15adc starting rbldns

the log viewer can be terminated.

Now create the zone data:

cd /etc/wldns/root || cat >&2
# Paste the whitelist data
cat > data

make

Notes

  • 127.53.119.1: 53 is the DNS port number, 119 the ASCII code for ‘w’ – alias whitelist, 1 the first whitelist server on this system.

  • Technically neither the delegation nor the use of a valid subdomain is required when using the resolution shortcut. However it is an auto-documenting and failover practice.

  • Only because of the whitelist server listening on the local interface we can shortcut resolution on the internal cache.

  • Since the shortcut does not generate external traffic we also do not need to use the external cache.

  • Tests will only succeed with A and TXT queries on #.#.#.#.wl.magma-soft.at, where # is 0 - 255. Any other query will not be answered by rbldns. Try the test record: 1.0.0.127.wl.magma-soft.at.

  • Since this is a private service the TXT record need not point to a website. In compliance with DNSxL the first lines of the data file read:

    :127.0.0.2:MagmaSoft private Email IP whitelist
    127.0.0.2