OK BizSetup Email Server From Scratch On FreeBSD #2 - 80 Bind DNS
We believe in data independence, and support others who want data independence.
Debian Email From Scratch version 2 finished 2025-07-30.
We are still adding to it but it all works!
####################################### # Setup Authoritative Bind DNS Server # #######################################
To properly run Postfix with DNSRBL and SpamAssassin, Amavis, and ClamAV it is
advised to setup a caching nameserver. DNSRBL are real time blacklist servers
with lists of spammy mail servers which should be blocked in Postfix. After a
few DNS queries to spamhaus they will be blocked and a local cache will solve
the problem. The full resolution of this is to stop using systemd-resolved
which is stub resolver not a full recursive caching resolver and to setup bind
nameserver.
journalctl -e -g DNS
Jul 29 07:31:46 okdeb.com systemd-resolved[420]: [🡕] DNSSEC validation failed
for question spamhaus.org IN DS: no-signature
Jul 29 07:31:46 okdeb.com systemd-resolved[420]: [🡕] DNSSEC validation failed
for question mail-vk1-xa4a.google.com.dbl.spamhaus.org IN TXT: no-signature
Jul 29 07:32:01 okdeb.com systemd-resolved[420]: [🡕] DNSSEC validation failed
for question ip6.arpa IN DS: no-signature
Jul 29 10:14:21 okdeb.com spamd[1070]: check: dns_block_rule URIBL_BLOCKED hit,
creating /root/.spamassassin/dnsblock_multi.uribl.com (This means DNSBL blocked
you due to too many queries.
Bind is the oldest and runs the fastest and is not difficult to setup. Dnsmasq
works well for DHCP clients but does not support DNSSEC. Unbound does support
DNSSEC. The Debian default is systemd-resolved which is a stub resovlver and
using this will cause problems with DNSRBL. We're going to stick with the
tried and true bind.
We're not going to go into the details of setup with master and slave server, just
the bare essentials to play nice with DNSRBL. We assume here we have IP ADDRESSES
and Domains as follows
15.204.113.148 okdeb.com mx.okdeb.com mail.okdeb.com
2604:2dc0:202:300::3645 okdeb.com mx.okdeb.com mail.okdeb.com
Install bind9
apt install bind9 dnsutils
systemctl enable named
systemctl start named
rndc reload
systemctl status named
cd /etc/bind
/etc/bind/named.conf.options
--- add this to the top of the file ---
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
// slave server // inet slave_ip allow { master_ip; } keys { "rndc-key"; };
};
systemctl restart named
rndc reload
systemctl status named
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto
recursion yes;
// only allow recursion for our own networks, we don't want others using
// our DNS - unless we setup as a master in which case it's not recursion
allow-recursion {
127.0.0.1;
::1;
// master_ipaddr;
// master_ipaddr6;
// trusted_ip;
// trusted_network;
};
allow-query { any; };
listen-on { 127.0.0.1; 15.204.113.148; };
listen-on-v6 { any; };
};
The root hints is enabled by an include in /etc/bind/named.conf.default-zones
nslookup google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 142.251.33.78
Name: google.com
Address: 2607:f8b0:400a:806::200e
dig @127.0.0.1 okdeb.com +dnssec +multiline
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
Flags with ad means DNSSEC is enabled.
Configure SpamAssassin to use local bind
nano /etc/spamassassin/65_dns.cf
dns_server 127.0.0.1
systemctl restart spamd
Disable systemd-resolved and just use bind
systemctl stop systemd-resolved
systemctl disable systemd-resolved
Remove the symbolic link to resolv.conf elsewhere!
rm /etc/resolv.conf
Create and edit a file in the same place, not the symbolic link.
nano /etc/resolv.conf
nameserver 127.0.0.1
options edns0 trust-ad
search .
Make sure it isn't symlinked!
ls -l resolv.conf
-rw-r--r-- 1 root root 54 Jul 29 18:06 resolv.conf
Test the local bind dnssec with dig
dig okdeb.com +dnssec +multiline
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
journalctl -g DNS
Jul 29 18:07:07 okdeb.com named[529]: generating session key for dynamic DNS Jul
Jul 29 23:34:59 okdeb.com spamd[1086]: spamd: result: . 0 - ARC_SIGNED,ARC_VALID...
That's it, easily setup!