Preface
This technical document describes how to receive a feed of Guardian Mail via rsync and to serve the zones out via rbldnsd.Target Audience
This document is intended for system administrators responsible for controlling the DNS server(s) that handle general DNS resolution for their internal network. It generally assumes a basic understanding of rsync, rbldnsd, and DNS. The documentation assumes that you are using a UNIX operating system and have installed the rsync and rbldnsd packages and the dig command from either the dnsutils or bind-utils package, depending on your operating system.Firewall Requirements
To allow the client to reach our rsync servers, ensure that outgoing traffic on port 873/TCP is allowed from the system(s) performing the rsync. You should not limit this to specific destination IP addresses, as our IP addresses may change due to maintenance, relocations, supplier changes, attacks, etc. Allow DNS traffic on 53/UDP only between the systems running rbldnsd and your internal DNS resolvers. Do not allow access from unknown clients outside of your network.Instructions
Abusix will provide you with a script to manage the download of the zone files via rsync. Download the script we provide to /usr/local/bin (or wherever you prefer to keep scripts like this) by running:- USERNAME and USERPASS should be set with the username and password supplied to you by Abusix.
- DESTPATH should be set to the directory where the zone files should be placed once downloaded and verified. This should be where rbldnsd is configured to read them from. IMPORTANT: This directory must not contain any other files, as they will be removed when mirrored.
rbldnsd configuration
Next, you will add the zones to the rbldnsd configuration. T_hese instructions will need to be modified depending on your OS, how rbldnsd is packaged, and if you are already using rbldnsd to serve other zones._ Edit the rbldnsd configuration at /etc/sysconfig/rbldnsd or /etc/default/rbldnsd. The rbldnsd working directory will be in /var/lib/rbldns or /var/lib/rbldnsd. Within this guide, we presume that the rbldnsd working directory is /var/lib/rbldnsd and that rbldnsd will be started with the -r option to chroot to this directory and that the DESTDIR for the script is set to /var/lib/rbldnsd/zones/abusix. Open the rbldnsd configuration file (e.g. /etc/sysconfig/rbldnsd) Add the following environment variable above the RBLDNSD= variable:- Check for errors
- Check the log file for any errors.
$ dig -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1795;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0;; WARNING: recursion requested but not available;; QUESTION SECTION:;2.0.0.127.combined.mail.abusix.zone. IN A;; ANSWER SECTION:2.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.22.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.32.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.42.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.112.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.12;; Query time: 0 msec;; SERVER: 127.0.0.1#5353(127.0.0.1);; WHEN: Tue Nov 20 22:30:25 CET 2018;; MSG SIZE rcvd: 85
The example shows
- a successful “status: NOERROR.”
- the combined list using standard test points returned results showing that the configuration works correctly.
DNS Server configuration
There are two methods to configure your internal DNS servers to send queries for the ABUSIX_ZONE you chose earlier. These methods are delegation or forwarding.Delegation
This configuration method is recommended if you use DNSSEC internally. This method also works with all types of DNS servers rbldnsd MUST be listening on port 53 Create the necessary “glue” records by creating the “ABUSIX_ZONE” namespace locally in your DNS server, adding A records for each of your rbldnsd servers, and then adding NS for each zone that points to the A records. Example configuration:Forwarding
This configuration method is easier to configure but more challenging to troubleshoot. This method does not work with all DNS servers (e.g., Microsoft DNS Servers). To use this method, you will configure your DNS server to “forward” all queries for “ABUSIX_ZONE” to your rbldnsd servers.Example configuration for BIND servers
Example configuration for Unbound
rbldnsd runs on the same host on port 5353 in this case.Test
Once you have configured your DNS servers, test to ensure that everything works by submitting a query to one of the test points (e.g. 2.0.0.127.combined.mail.abusix.zone). You should receive the same results as shown earlier.Mail Server and Spam Filter Configuration
Once the tests work correctly, please follow the instructions to configure your email server to query the zones you have just configured.Apply ACLs
Lastly, ensure that neither your rbldnsd server nor internal DNS servers allow queries against the Guardian Mail zones from the external internet. You may limit the external internet from querying your internal zones- In rbldnsd, applying ACLs limits which of your IP addresses are allowed to query rbldnsd.
- Your DNS server will have similar functionality.