Preface 

This technical document describes how to receive a feed of Abusix Mail Intelligence via rsync and to serve the zones out via rbldnsd.

Target Audience

This document is aimed at System Administrators and requires you to be in control of the DNS server(s) handling general DNS resolution for your internal network and presumes an understanding of the basics of rsync, rbldnsd, and DNS in general.

We presume in the documentation that you are using a UNIX OS, and have rsync and rbldnsd packages installed; along with the dig command from the dnsutils or bind-utils package depending on your OS.

Firewall Requirements

Ensure that outgoing traffic on port 873/tcp is allowed from the system(s) performing the rsync so that the client may reach our rsync servers.  You cannot and should not limit this to specific destination IP addresses as our IP addresses will change either because of maintenance, relocations, supplier changes, attacks, etc.

DNS traffic on 53/udp should only be allowed between the systems running rbldnsd and your internal DNS resolvers. Access should not be allowed from unknown clients outside of your network.

Instructions

Abusix will provide you with a script to manage the download of the zone files via rsync. 

Download the script we provide to /usr/local/bin (or wherever you prefer to keep scripts like this) by running:

rsync -avz rsync.abusix.zone::scripts/getabusix.sh /usr/local/bin
rsync -avz rsync.abusix.zone::scripts/getabusix.conf /usr/local/etc
chmod +x /usr/local/bin/getabusix.sh

Edit the getabusix.conf file, you will find a set of environment variables need to be configured.  They are:

  • USERNAME and USERPASS should be set the username and password supplied to you by Abusix.
  • DESTPATH should be set to the directory where the zone files should be placed once they have been downloaded and verified.  This should be where rbldnsd is configured to read them from.  IMPORTANT:  This directory must not contain any other files as they will be removed when the directory is mirrored.

Once you have configured your values in the script, execute the script and attempt the initial download of files:

/usr/local/bin/getabusix.sh --debug

Once the script has run, check the log file and that the zone files have downloaded where you expected and correct as necessary.   

Once complete, set the script to run every minute via cron by running:

sudo crontab -e

Add:

* * * * * /usr/local/bin/getabusix.sh

Now the zones files are being rsync’d every minute.

rbldnsd configuration

Next, you will add the zones to the rbldnsd configuration.  

Note that these instructions will need to be modified depending on your OS, how rbldnsd is packaged, and if you are already using rbldnsd to serve other zones.

Edit the rbldnsd configuration located either at /etc/sysconfig/rbldnsd or /etc/default/rbldnsd. 

The rbldnsd working directory will be in /var/lib/rbldns or /var/lib/rbldnsd.

Within this guide, we presume that the rbldnsd working directory is /var/lib/rbldnsd and that rbldnsd will be started with the -r option to chroot to this directory and that the DESTDIR for the script is set to /var/lib/rbldnsd/zones/abusix.

Open the rbldnsd configuration file (e.g. /etc/sysconfig/rbldnsd) 

Add the following environment variable above the RBLDNSD= variable:

ABUSIX_ZONE=”mail.abusix.zone”

The parent DNS zone that rbldnsd will answer queries to the Abusix Mail Intelligence zones on will be mail.abusix.zone,  You may also set the parent DNS zone to whatever you like, but you will need to configure your internal DNS servers to delegate this zone to your rbldnsd server(s). 

The current Abusix Mail Intelligence lists are detailed here: https://docs.abusix.ai/en/collections/1735474-detailed-list-information

You can configure rbldnsd with whichever zones you like, or all of them.  For the purposes of this document, we will only cover combined, black, exploit, dynamic, dblack, shorthash, diskhash and white, the process for adding any other list is the same though.

Within the rbldnsd configuration file, add the Abusix lists by editing the RBLDNSD variable by the following to the end of the file:

black.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
exploit.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
dynamic.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone \
white.$ABUSIX_ZONE:combined:zones/abusix/white.zone \
dblack.$ABUSIX_ZONE:combined:zones/abusix/dblack.zone \
shorthash.$ABUSIX_ZONE:combined:zones/abusix/shorthash.zone \
diskhash.$ABUSIX_ZONE:combined:zones/abusix/diskhash.zone \
nod.$ABUSIX_ZONE:combined:zones/abusix/nod.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone

Example
This is a working rbldnsd configuration file:

ABUSIX_ZONE="mail.abusix.zone"

RBLDNSD="- -a -f -b 0.0.0.0/5353 -r /var/lib/rbldnsd -l +logs/query.log -s +logs/stats.log \
black.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
exploit.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
dynamic.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone \
white.$ABUSIX_ZONE:combined:zones/abusix/white.zone \
dblack.$ABUSIX_ZONE:combined:zones/abusix/dblack.zone \
shorthash.$ABUSIX_ZONE:combined:zones/abusix/shorthash.zone \
diskhash.$ABUSIX_ZONE:combined:zones/abusix/diskhash.zone \
nod.$ABUSIX_ZONE:combined:zones/abusix/nod.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/black.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/exploit.zone \
combined.$ABUSIX_ZONE:combined:zones/abusix/dynamic.zone"

Once the configuration has been added, restart rbldnsd,

  • Check for errors
  • Check the log file for any errors.

In the example configuration above, rbldnsd is listening on 0.0.0.0 UDP port 5353.  

Check your configuration, using the following dig command.  You will need to alter the command depending on which port you have configured rbldnsd to listen on and which parent zone you configured.

$ dig -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -p 5353 @127.0.0.1 2.0.0.127.combined.mail.abusix.zone
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1795
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;2.0.0.127.combined.mail.abusix.zone. IN A
;; ANSWER SECTION:
2.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.2
2.0.0.127.combined.mail.abusix.zone. 60 IN A    127.0.0.3
2.0.0.127.combined.mail.abusix.zone. 60 IN A    127.0.0.4
2.0.0.127.combined.mail.abusix.zone. 60 IN A 127.0.0.11
2.0.0.127.combined.mail.abusix.zone. 60 IN A    127.0.0.12
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Tue Nov 20 22:30:25 CET 2018
;; MSG SIZE  rcvd: 85

The example shows 

  • a successful “status: NOERROR”.  
  • the combined list using standard testpoints returned results showing  that the configuration is working correctly.  

You may repeat the dig test querying the “black”, "exploit", “dynamic”, “white” and “dblack” zones, in place of “combined” to ensure that all the lists are functioning correctly.

DNS Server configuration

There are two methods to configure your internal DNS servers to send queries for the ABUSIX_ZONE that you chose earlier.  These methods are delegation or forwarding.

Delegation

This configuration method is recommended if you use DNSSEC internally.

This method also works with all types of DNS servers 

rbldnsd MUST be listening on port 53

Create the necessary “glue” records by creating the “ABUSIX_ZONE” namespace locally in your DNS server, by adding A records for each of your rbldnsd servers and then adding NS records for each zone that point to the A records.

Example configuration:

$ORIGIN mail.abusix.zone.
rbldnsd1  IN A  1.2.3.4
rbldnsd2  IN A  2.3.4.5
@         IN NS rbldnsd1
          IN NS rbldnsd2

Forwarding

This configuration method is easier to configure but more difficult to troubleshoot.

This method does not work with all DNS servers (e.g. Microsoft DNS Servers).

To use this method, you will configure your DNS server to “forward” all queries for “ABUSIX_ZONE” to your rbldnsd servers.

Example configuration for BIND servers:

zone “mail.abusix.zone” {
    type forward;
    forward only;
    forwarders {
        1.2.3.4;
        2.3.4.5;
    };
};

You may run rbldnsd on a different port, allowing the forwarding to work correctly by specifying the forwarder as “1.2.3.4 port 5353;” instead what we show in the example above.

Example configuration for Unbound 

rbldnsd runs on the same host on port 5353 in this case.

# The following is required if forward-addr is 127.0.0.1
do-not-query-localhost: no
domain-insecure: "mail.abusix.zone."

forward-zone:
    name: "mail.abusix.zone."
    forward-addr: [email protected]

Test

Once you have configured your DNS servers, test to ensure that everything works by submitting a query to one of the test points (e.g.  2.0.0.127.combined.mail.abusix.zone). You should receive the same results as shown earlier.

Mail Server and Spam Filter configuration

Once the tests work correctly, please follow the instructions here to  configure your email server to query the zones, that you have just configured.

Apply ACLs

Lastly, ensure that neither your rbldnsd server or internal DNS servers allow queries against the Abusix Mail Intelligence zones from the external internet.   

You may limit the external internet from querying your internal zones 

  • In rbldnsd by applying ACLs limiting which of your IP addresses are allowed to query rbldnsd. 
  • your DNS server will have similar functionality.

Using Beta zones

We allow all our of customers access to test ideas that we are currently working on via our beta zones, you can find details of what beta zones are currently available along with usage guidelines here.

To download the beta zones via rsync, you need to set the BETA_DESTPATH variable in getabusix.conf to the path that you would like to download the beta zonefiles to, this must be a different directly to the production zones e.g.

BETA_DESTPATH="/var/lib/rbldnsd/abusix-beta"

Once this has been set, run:

/usr/local/bin/getabusix.sh --debug

And you should find the zones in the directory you configured, once this is done you simply need to configure rbldnsd to serve out the beta zones that you are interested in.

Support

If you have any questions or need any assistance, please contact us via the live-chat or [email protected] and we will be happy to help.

Did this answer your question?