Installing a Local Caching Nameserver
SpamAssassin will perform many DNS lookups for NetworkTests to significantly improve scoring of messages primarily by DNSBlocklists like Spamhaus, SORBS, etc. This information needs to be cached locally to improve performance and limit the number of DNS queries since some DNSBlockLists have limits on free usage.
NOTE: A local DNS server should not forward to other servers to ensure your queries are not combined with others. Forwarding to other DNS servers usually results in URIBL_BLOCKED rule hit meaning you have gone over their free usage limit.
DNSmasq should not be used since it can only forward to other DNS servers.
UNBOUND
Packaging varies slightly between distributions so refer Internet articles for details and current information for your OS version. The default configuration files should give us a desired caching non-forwarding DNS server listening locally only.
Debian/Ubuntu:
apt-get install unbound systemctl enable unbound systemctl start unbound
RHEL/CentOS:
yum install unbound chkconfig unbound on service unbound start
Fedora:
dnf install unbound systemctl enable unbound systemctl start unbound
PowerDNS Recursor
Default PowerDNS Recursor installs should be the desired non-forwarding caching only DNS server listening only on localhost. Refer to other online articles for details about the config files and settings specific to your OS version.
Debian/Ubuntu:
apt-get install pdns-recursor systemctl enable pdns-recursor systemctl start pdns-recursor
RHEL/CentOS:
yum install pdns-recursor chkconfig pdns-recursor on service pdns-recursor start
Fedora:
dnf install pdns-recursor systemctl enable pdns-recursor systemctl start pdns-recursor
BIND
This section describes installing BIND (Berkeley Internet Name Domain) in a caching configuration on the system. BIND is the standard nameserver in use on the Internet today. More internet servers run BIND than any other nameserver daemon. Several alternative DNS nameservers in common use are described in their own sections below.
Debian GNU/Linux
The Debian system uses APT (Advanced Package Tool) to manage the system. The following commands will install BIND (Berkeley Internet Name Daemon) version 9 on the system.
apt-get update apt-get install bind9
The default configuration for the Debian package is install a caching nameserver suitable for Internet use. After installation the daemon will be configured and running.
Red Hat and Fedora GNU/Linux
On Red Hat and Fedora systems the BIND software is in the "bind" rpm package. The "caching-nameserver" rpm package contains a caching nameserver configuration suitable for Internet use. Locate those packages from your vendor and install them. The http://rpmfind.net rpm search site is very useful for locating rpms for your system.
On Red Hat the following commands will install BIND and a caching nameserver configuration on the system. The version numbers used in the following example are purely for example. Use the current package version for your system release. This example shows a typical installation on RH9.
After installation the daemon will need to be configured and started. The following commands will configure the BIND name daemon to be started at system boot time and then will start the daemon.
rpm -Uvh bind-9.2.1-16.i386.rpm rpm -Uvh caching-nameserver-7.2-7.i386.rpm chkconfig named on service named start
If you have yum installed, you can use the following commands to install and enable the latest caching nameserver package. yum will take care of installing any dependencies (including the BIND named package) required.
yum install caching-nameserver chkconfig named on service named start
BIND Resources
Gentoo Linux
On Gentoo the dnsmasq package is called "net-dns/dnsmasq".
emerge net-dns/dnsmasq rc-update add add dnsmasq default
The daemon can be configured with the files /etc/conf.d/dnsmasq
and /etc/dnsmasq.conf
.
djbdns
djbdns/tinydns is D. J. Bernstein's DNS daemon.
If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.
Debian GNU/Linux
To install djbdns on Debian you need to fetch (with apt for example) the packages "daemontools-installer" and "djbdns-installer". What this packages will do is fetch the source code, compile it, and create Debian packages both for daemontools and djbdns. After installing those packages, you can issue the commands "build-daemontools" and "build-djbdns" which will create the final debian packages and prompt for installation. Example:
apt-get update apt-get install djbdns-installer daemontools-installer build-daemontools build-djbdns
Note that you may keep and reuse (just not redistribute) the debian packages created with the installer packages.
After installing djdbs, you need to create the "dnscache" instance under /service. Suposing you want the cache to listen on the loopback device, you would do:
dnscache-conf dnscache dnslog /service/dnscache 127.0.0.1
rbldnsd
rbldnsd is a small and fast DNS daemon written by Michael Tokarev which is especially made to serve DNSBL zones. This daemon was inspired by Dan J. Bernstein's rbldns program found in the djbdns package. The SURBL links page under "Mirroring RBL zone files locally" references several How-Tos for setting up rbldnsd and rsnyc in different environments including FreeBSD, Solaris, etc. NJABL also has a document about setting up rbldnsd and rsync for use with RBLs.
rbldnsd uses far less memory and CPU, and is much quicker in responding to queries than BIND. Those are reasons why rbldnsd is widely used for public and private mirroring of RBL zone files. A common rule of thumb is that the overhead of doing rbldnsd and rsync becomes worthwhile for mail systems that process more than 100,000 messages per day. Some RBLs impose a minimum daily message count before allowing rsync access for local mirroring of their zone files. Some RBLs charge a subscription fee for access. Others don't. Please check with the RBL operators as appropriate.
If you have a good guide to the commands required to install this on a typical system, please edit this page and fill out this section.
Using the Local Caching Nameserver
SpamAssassin local.cf
dns_available yes
/etc/resolv.conf
search example.com nameserver 127.0.0.1
NOTE: Make sure DHCP is not changing the nameserver setting in the /etc/resolv.conf away from 127.0.0.1.