Using rsync and rbldnsd – Abusix

Preface

This technical document describes how to receive a feed of Abusix Mail Intelligence via rsync and to serve the zones out via rbldnsd.

Target Audience

This document is intended for system administrators responsible for controlling the DNS server(s) that handle general DNS resolution for their internal network. It generally assumes a basic understanding of rsync, rbldnsd, and DNS.

The documentation assumes that you are using a UNIX operating system and have installed the rsync and rbldnsd packages and the dig command from either the dnsutils or bind-utils package, depending on your operating system.

Firewall Requirements

To allow the client to reach our rsync servers, ensure that outgoing traffic on port 873/TCP is allowed from the system(s) performing the rsync. You should not limit this to specific destination IP addresses, as our IP addresses may change due to maintenance, relocations, supplier changes, attacks, etc.

Allow DNS traffic on 53/UDP only between the systems running rbldnsd and your internal DNS resolvers. Do not allow access from unknown clients outside of your network.

Instructions

Abusix will provide you with a script to manage the download of the zone files via rsync.

Download the script we provide to /usr/local/bin (or wherever you prefer to keep scripts like this) by running:

rsync -avz rsync.abusix.zone::scripts/getabusix.sh /usr/local/bin
rsync -avz rsync.abusix.zone::scripts/getabusix.conf /usr/local/etc
chmod +x /usr/local/bin/getabusix.sh

Edit the getabusix.conf file by configuring the following variables:

USERNAME and USERPASS should be set with the username and password supplied to you by Abusix.

DESTPATH should be set to the directory where the zone files should be placed once downloaded and verified. This should be where rbldnsd is configured to read them from. IMPORTANT: This directory must not contain any other files, as they will be removed when mirrored.

Once you have configured your values in the script, execute the script and attempt the initial download of files:

/usr/local/bin/getabusix.sh --debug

Once the script has run, check the log file and the zone files downloaded where you expected and correct them as necessary.

Once complete, set the script to run every minute via cron by running the following:

sudo crontab -e

Add:

* * * * * /usr/local/bin/getabusix.sh

Now the zone files are being rsync’d every minute.

rbldnsd configuration

Next, you will add the zones to the rbldnsd configuration.

These instructions will need to be modified depending on your OS, how rbldnsd is packaged, and if you are already using rbldnsd to serve other zones.

Edit the rbldnsd configuration at /etc/sysconfig/rbldnsd or /etc/default/rbldnsd.

The rbldnsd working directory will be in /var/lib/rbldns or /var/lib/rbldnsd.

Within this guide, we presume that the rbldnsd working directory is /var/lib/rbldnsd and that rbldnsd will be started with the -r option to chroot to this directory and that the DESTDIR for the script is set to /var/lib/rbldnsd/zones/abusix.

Open the rbldnsd configuration file (e.g. /etc/sysconfig/rbldnsd)

Add the following environment variable above the RBLDNSD= variable:

ABUSIX_ZONE=”mail.abusix.zone”

The parent DNS zone on which rbldnsd will answer queries to the Abusix Mail Intelligence zones will be mail.abusix.zone, You may also set the parent DNS zone to whatever you like, but you will need to configure your internal DNS servers to delegate this zone to your rbldnsd server(s).

You can configure rbldnsd with whichever zones you like or all of them. For this document, we will only cover combined, black, exploit, dynamic, dblack, shorthash, diskhash, authbl, and white, the process for adding any other list is the same.

Within the rbldnsd configuration file, add the Abusix lists by editing the RBLDNSD variable by the following to the end of the file:

black.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
exploit.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
dynamic.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone \
white.$ABUSIX_ZONE:combined:zones/abusix/white.zone \
authbl.$ABUSIX_ZONE:combined:zones/abusix/authbl.zone \
dblack.$ABUSIX_ZONE:combined:zones/abusix/dblack.zone \
shorthash.$ABUSIX_ZONE:combined:zones/abusix/shorthash.zone \
diskhash.$ABUSIX_ZONE:combined:zones/abusix/diskhash.zone \
nod.$ABUSIX_ZONE:combined:zones/abusix/nod.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone

Example

This is a working rbldnsd configuration file:

ABUSIX_ZONE="mail.abusix.zone"

RBLDNSD="- -a -f -b 0.0.0.0/5353 -r /var/lib/rbldnsd -l +logs/query.log -s +logs/stats.log \
black.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
exploit.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
dynamic.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone \
white.$ABUSIX_ZONE:combined:zones/abusix/white.zone \
authbl.$ABUSIX_ZONE:combined:zones/abusix/authbl.zone \
dblack.$ABUSIX_ZONE:combined:zones/abusix/dblack.zone \
shorthash.$ABUSIX_ZONE:combined:zones/abusix/shorthash.zone \
diskhash.$ABUSIX_ZONE:combined:zones/abusix/diskhash.zone \
nod.$ABUSIX_ZONE:combined:zones/abusix/nod.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone"

Once the configuration has been added, restart rbldnsd,

Check for errors

Check the log file for any errors.

In the example configuration above, rbldnsd listens on 0.0.0.0 UDP port 5353.

Check your configuration using the following dig command. You'll need to change the command depending on which port you have configured rbldnsd to listen on and which parent zone you configured.

$ dig -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1795;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0;; WARNING: recursion requested but not available;; QUESTION SECTION:;2.0.0.127.combined.mail.abusix.zone. IN A;; ANSWER SECTION:2.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.22.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.32.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.42.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.112.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.12;; Query time: 0 msec;; SERVER: 127.0.0.1#5353(127.0.0.1);; WHEN: Tue Nov 20 22:30:25 CET 2018;; MSG SIZE rcvd: 85

The example shows

a successful “status: NOERROR.”

the combined list using standard test points returned results showing that the configuration works correctly.

You may repeat the dig test querying the “black,” "exploit,” “dynamic,” “white,” and “dblack” zones in place of “combined” to ensure that all the lists are functioning correctly.

DNS Server configuration

There are two methods to configure your internal DNS servers to send queries for the ABUSIX_ZONE you chose earlier. These methods are delegation or forwarding.

Delegation

This configuration method is recommended if you use DNSSEC internally.

This method also works with all types of DNS servers

rbldnsd MUST be listening on port 53

Create the necessary “glue” records by creating the “ABUSIX_ZONE” namespace locally in your DNS server, adding A records for each of your rbldnsd servers, and then adding NS for each zone that points to the A records.

Example configuration:

$ORIGIN mail.abusix.zone.
rbldnsd1  IN A  1.2.3.4
rbldnsd2  IN A  2.3.4.5
@         IN NS rbldnsd1
          IN NS rbldnsd2

Forwarding

This configuration method is easier to configure but more challenging to troubleshoot.

This method does not work with all DNS servers (e.g., Microsoft DNS Servers).

To use this method, you will configure your DNS server to “forward” all queries for “ABUSIX_ZONE” to your rbldnsd servers.

Example configuration for BIND servers

zone “mail.abusix.zone” {
    type forward;
    forward only;
    forwarders {
        1.2.3.4;
        2.3.4.5;
    };
};

You may run rbldnsd on a different port, allowing the forwarding to work correctly by specifying the forwarder as “1.2.3.4 port 5353;” instead of what we show in the example above.

Example configuration for Unbound

rbldnsd runs on the same host on port 5353 in this case.

# The following is required if forward-addr is 127.0.0.1
do-not-query-localhost: no
domain-insecure: "mail.abusix.zone."

forward-zone:
    name: "mail.abusix.zone."
    forward-addr: 127.0.0.1@5353

Test

Once you have configured your DNS servers, test to ensure that everything works by submitting a query to one of the test points (e.g. 2.0.0.127.combined.mail.abusix.zone). You should receive the same results as shown earlier.

Mail Server and Spam Filter Configuration

Once the tests work correctly, please follow the instructions to configure your email server to query the zones you have just configured.

Apply ACLs

Lastly, ensure that neither your rbldnsd server nor internal DNS servers allow queries against the Abusix Mail Intelligence zones from the external internet.

You may limit the external internet from querying your internal zones

In rbldnsd, applying ACLs limits which of your IP addresses are allowed to query rbldnsd.

Your DNS server will have similar functionality.

Using Beta zones

We allow all our customers access to test ideas we are working on via our beta zones; details of what beta zones are currently available and usage guidelines here.

To download the beta zones via rsync, you need to set the BETA_DESTPATH variable in getabusix.conf to the path that you would like to download the beta zone files to; this must be a different directly to the production zones e.g.

BETA_DESTPATH="/var/lib/rbldnsd/abusix-beta"

Once this has been set, run:

/usr/local/bin/getabusix.sh --debug

You should find the zones in the directory you configured; once this is done, you need to configure rbldnsd to serve out the beta zones you are interested in.