Usually on a primary nameserver for a number of domains, you shouldn’t be using the local nameserver for your DNS lookups. The reason for this is that if a domain is transferred away from the nameserver without your knowledge, any local lookups for that domain will continue to give the old results and this could end up sending email to the wrong server or worse.
One option is to set /etc/resolv.conf
to point to some public nameservers such as Google’s 8.8.8.8 and 8.8.4.4, Cloudflare’s 1.1.1.1 or IBM’s 9.9.9.9. This works fine until you want to use the same server to provide email services using spamassassin. At this point, spamassassin will use /etc/resolv.conf
to determine which nameservers to query for things like URIBL (the URI block list at uribl.com). Unfortunately if you are using the same nameservers as a lot of other people, the IP that queries the block list will be blacklisted due to query volume and you’ll end up with an error like the following:
ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
Running spamassassin and processing emails will result in a URIBL_BLOCKED rule showing in the headers with the other rules that were triggered.
A simple workaround that doesn’t involve too much of a change is to install a lightweight resolver, bind it to an internal IP such as 127.0.0.2 and set this as your default nameserver in /etc/resolv.conf
The following instructions apply to CentOS 7 but something similar should work for other Linux distributions. First install the PowerDNS Recursor. It doesn’t matter what your existing nameserver software is, I have BIND running but it could easily be something else.
[root@server ~]# yum install pdns-recursor
Now edit the configuration file /etc/pdns-recursor/recursor.conf
to change the IP address that it binds to. Simply find the part of the file for the option local-address, uncomment it and change to read:
################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.2
Next create a new loopback alias for the IP 127.0.0.2 by creating the file /etc/sysconfig/network-scripts/ifcfg-lo:0
with the following content:
DEVICE=lo:0
IPADDR=127.0.0.2
NETMASK=255.255.255.255
ONBOOT=yes
NAME=dnsloopback
BOOTPROTO=static
Bring the interface up and then start the PowerDNS Recursor daemon.
[root@server ~]# ifup lo:0
[root@server ~]# systemctl enable pdns-recursor
[root@server ~]# systemctl start pdns-recursor
If it’s configured correctly, you should be able to query 127.0.0.2 with the following command:
[root@server ~]# host -t TXT test.uribl.com.multi.uribl.com 127.0.0.2
Using domain server:
Name: 127.0.0.2
Address: 127.0.0.2#53
Aliases:
test.uribl.com.multi.uribl.com descriptive text "permanent testpoint"
If this works, the final step is to change your local resolver to use 127.0.0.2 instead of whatever it’s currently set to. Any queries for domains hosted locally will go to the PowerDNS Recursor which will then query the root nameservers and then the original nameserver software on your local server. If the domain has been moved away but you still have the zone locally, the PowerDNS Recursor running on 127.0.0.2 will simply query the new nameserver instead of your local one.
Edit /etc/resolv.conf
– comment out any existing nameserver lines and add one that reads:
nameserver 127.0.0.2
It’s possible that you might need to restart spamassassin for it to take effect. This can be done using:
[root@server ~]# systemctl restart spamassassin