You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by Apache Wiki <wi...@apache.org> on 2017/05/18 21:42:06 UTC

[Spamassassin Wiki] Update of "CachingNameserver" by Dave Jones

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Spamassassin Wiki" for change notification.

The "CachingNameserver" page has been changed by Dave Jones:
https://wiki.apache.org/spamassassin/CachingNameserver?action=diff&rev1=29&rev2=30

- = Caching Nameserver =
+ = Installing a Local Caching Nameserver =
  
+ <<TableOfContents()>>
- Often Spam``Assassin users will find that their system is performing
- many DNS (Domain Name System) lookups.  There are many NetworkTests
- in the suite of tests.  The network tests significantly enhance the
- ability of Spam``Assassin to correctly categorize messages.  One of
- the main network tests is to look up domain names in the DnsBlocklists.
  
+ SpamAssassin will perform many DNS lookups for NetworkTests to significantly improve scoring of messages primarily by DNSBlocklists like Spamhaus, SORBS, etc.  This information needs to be cached locally to improve performance and limit the number of DNS queries since some DNSBlockLists have limits on free usage.
- The DNS lookups can create a lot of network activity.  There are a few
- times when this can cause performance issues.  This question is often
- raised on the Spam``Assassin MailingLists.
  
-  * For users behind slow network connections the latency of the lookup can slow down the catagorization process.
+ NOTE: A local DNS server should not forward to other servers to ensure your queries are not combined with others.  Forwarding to other DNS servers usually results in URIBL_BLOCKED rule hit meaning you have gone over their free usage limit.
  
-  * For large sites processing many mail messages the volume of lookups can be a problem.
+ DNSmasq should not be used since it can only forward to other DNS servers.
  
+ == UNBOUND ==
+ Packaging varies slightly between distributions so refer Internet articles for details and current information for your OS version.  The default configuration files should give us a desired caching non-forwarding DNS server listening locally only.
- Often the same information is being looked up again and again.
- Needing to do a completely lookup of the same data repeatedly is
- inefficient.
  
- The standard solution is to install a local caching nameserver to
- cache repeated DNS requests.  This will significantly reduce network
- traffic due to DNS lookups.  This improves system efficiency.
+ Debian/Ubuntu:
+ {{{
+ apt-get install unbound
+ systemctl enable unbound
+ systemctl start unbound
+ }}}
+ RHEL/CentOS:
+ {{{
+ yum install unbound
+ chkconfig unbound on
+ service unbound start
+ }}}
+ Fedora:
+ {{{
+ dnf install unbound
+ systemctl enable unbound
+ systemctl start unbound
+ }}}
  
- == Installing BIND as a Caching Nameserver ==
+ == PowerDNS Recursor ==
+ Default PowerDNS Recursor installs should be the desired non-forwarding caching only DNS server listening only on localhost.  Refer to other online articles for details about the config files and settings specific to your OS version.
+ 
+ Debian/Ubuntu:
+ {{{
+ apt-get install pdns-recursor
+ systemctl enable pdns-recursor
+ systemctl start pdns-recursor
+ }}}
+ RHEL/CentOS:
+ {{{
+ yum install pdns-recursor
+ chkconfig pdns-recursor on
+ service pdns-recursor start
+ }}}
+ Fedora:
+ {{{
+ dnf install pdns-recursor
+ systemctl enable pdns-recursor
+ systemctl start pdns-recursor
+ }}}
+ 
+ == BIND ==
  
  This section describes installing [[http://www.isc.org|BIND]] (Berkeley
  Internet Name Domain) in a caching configuration on the system.  BIND
@@ -46, +76 @@

  nameserver suitable for Internet use.  After installation the daemon
  will be configured and running.
  
- === Red Hat and Fedora Core GNU/Linux ===
+ === Red Hat and Fedora GNU/Linux ===
  
  On [[http://www.redhat.com|Red Hat]] and [[http://fedora.redhat.com|Fedora]] systems the BIND
  software is in the "bind" rpm package.  The "caching-nameserver" rpm
@@ -98, +128 @@

  
  The daemon can be configured with the files {{{/etc/conf.d/dnsmasq}}} and {{{/etc/dnsmasq.conf}}}.
  
- == Installing djbdns as a Caching Nameserver ==
+ == djbdns ==
  
  [[http://cr.yp.to/djbdns.html|djbdns]]/[[http://tinydns.org/|tinydns]] is D. J. Bernstein's DNS daemon.
  
@@ -125, +155 @@

  dnscache-conf dnscache dnslog /service/dnscache 127.0.0.1
  }}}
  
- == Installing rbldnsd as a Caching Nameserver ==
+ == rbldnsd ==
  
  [[http://www.corpit.ru/mjt/rbldnsd.html|rbldnsd]] is a small and fast DNS daemon written by Michael Tokarev which is especially made to serve DNSBL zones. This daemon was inspired by Dan J. Bernstein's rbldns program found in the djbdns package.  The [[http://www.surbl.org/links.html|SURBL links page]] under "Mirroring RBL zone files locally" references several How-Tos for setting up rbldnsd and rsnyc in different environments including FreeBSD, Solaris, etc.  NJABL also has a document about [[http://njabl.org/rsync.html|setting up rbldnsd and rsync]] for use with RBLs.
  
@@ -134, +164 @@

  If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.
  
  
- == Setting up the system to use the Caching Nameserver ==
+ = Using the Local Caching Nameserver =
  
+ SpamAssassin local.cf
- === GNU C library configuration ===
- 
- For the current glibc version 6 the host lookup ordering is configured
- in the /etc/nsswitch.conf file.  The typical configuration would
- specify the local system file first and the network DNS database
- second.
- 
  {{{
- hosts:          files dns
+ dns_available yes
  }}}
  
+ /etc/resolv.conf
- The older glibc version 5 library configured host lookup ordering in
- the /etc/host.conf.  This library is now obsolete.  But your system
- will probably provide this file for compatibility to enable older
- programs linked against the older library.
- 
  {{{
- order hosts,bind
+ search example.com
+ nameserver 127.0.0.1
  }}}
  
- ==== /etc/resolv.conf ====
+ NOTE: Make sure DHCP is not changing the ''nameserver'' setting in the /etc/resolv.conf away from 127.0.0.1.
  
- The /etc/resolv.conf file configures the nameserver used to look up
- DNS data.  A typical system contains a '''search''' line to specify
- the local domain.  It also contains up to three '''nameserver''' lines
- to configure nameservers.  Because we are setting up a local caching
- nameserver only one entry is needed.  The {{{0.0.0.0}}} entry
- specifies that the nameserver on the local host will be contacted for
- DNS lookups.
- 
- {{{
- search example.com
- nameserver 0.0.0.0
- }}}
- 
- Note that if your host uses a client configuration with DHCP to
- configure networking that this file may be overwritten by the DHCP
- client on the local host every time the network is enabled.  See your
- DHCP documentation for more information.
- 
- ==== /etc/hosts ====
- 
- The /etc/hosts file is the original location for DNS data.  However it
- is not used generally for DNS lookups on modern systems.  It is
- impossible to keep the entire Internet database there.  But it is
- still used for a small amount of local system data.
- 
- Typically the localhost loopback address is stored there and nothing
- more.  However it is acceptable to configure a small number of local
- network systems there and that is typical on small network sites.
- Here is an example /etc/hosts file.
- 
- {{{
- 127.0.0.1	localhost
- }}}
- 
- 
- ==== Using only your ISP DNS servers ====
- 
- Sometimes is better to always use your ISP DNS servers, because you may have a faster connection to your ISP's DNS servers than to the DNS Root servers and it helps create a large site-wide cache and reduces traffic to outside nameservers.
- 
- Here are the BIND named.conf options to only resolve using your ISP DNS Servers, the response is always cached in your local DNS Caching server:
- 
- {{{
- options {
- ...
-   forward only;
-   forwarders {
-     IP_DNS_1;
-     IP_DNS_2;
-   };
- ...
- };
- }}}
- 
- However, if you have a large ISP or are using a public DNS server having many users who are also doing DNSBL lookups, and the ISP / DNS host has not registered with the DNSBL provider as a paid client, the aggregate traffic from those nameservers may exceed the free usage limits imposed by the DNSBL provider and lookups may start returning invalid results. This could lead to large numbers of incorrectly-classified messages.
- 
- ==== Non-forwarding ====
- 
- If you have a large ISP or are using large public DNS provider(s) it is recommended you ''not'' forward mail-related DNS traffic through their DNS servers (though non-mail DNS traffic from your site shouldn't have problems.)  With bind, this means not having any "forwarders" listed. Or, at a minimum, you could create exemptions by defining empty forwarders for DNSBL zones, like this:
- 
- {{{
- /* Disable forwarding for DNSBL queries */
- zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
- zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
- zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
- zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; };
- zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; };
- zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
- zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
- zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
- zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
- zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; };
- zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
- zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };
- }}}
-