Using BIND and rsync to cache RBL zones

Systems processing more than a a few hundred thousand messages per day should set up a local caching name server for any of the RBLs they are using, including SURBLs. This is widely considered a good practice since it offloads the public name servers, reduces external network traffic, and significantly speeds up mail processing.

While many administrators prefer to use rbldnsd for serving RBL zone files since it's much faster and more memory efficient than BIND, here are some instructions if you choose to use BIND.

Install rsync and BIND if not already present. Be sure to keep your versions current in order to run the latest security updates.
If desired, create a separate directory to store the rsynced zone files into, such as "r" under /etc/namedb:
```
  mkdir /etc/namedb/r
```
Set up BIND as a master for the zones you expect to use:
```
  zone "sc.surbl.org" {
          type master;
          file "r/sc.surbl.org.bind";
  };
  
  zone "ws.surbl.org" {
          type master;
          file "r/ws.surbl.org.bind";
  };
```
Your server is not really a master for these zones, but because we used the keyword "master" above, it will behave as if it were, which is what we want.
Create up a shell script to rsync the zone files and reload named:
```
  #!/bin/sh
  
  /usr/local/bin/rsync -t some_rsync_server::surbl/*.bind /etc/namedb/r/
  /usr/sbin/named.reload
```
Where some_rsync_server is replaced by the real server name when access is granted. (The -t argument causes rsync to preserve timestamps. Strictly speaking it's not needed in this use.) Remember to make the script executable.
Request rsync access to the SURBL zone files. Please let us know your rbldnsd server's IP address and the approximate number of incoming messages per day that are processed.
Confirm that the zone files come across correctly by manually rsyncing.
Enable the script above by adding it to your crontab:
```
  7,37 * * * *  (root) (path to script above)
```
Where the who field of root is needed for /etc/crontab in FreeBSD but not for user-style crontabs. (You can also enter the rsync and named.reload directly in a crontab entry.) Please use minutes different from 7 and 37 so that the load is spread out over time. 20-minute intervals should be considered the minimum, by the way.
Confirm that everything above is working correctly.
Then configure your mail or SpamAssassin servers using RBLs to do the lookups on your new local RBL name server.
1. Many people run the local DNS for their RBLs directly on the mail server(s), which can work well since it keeps everything on the same box. In the default installation, BIND will do the right thing and try to resolve locally for domains it thinks it's a primary for. It will do this as long as 127.0.0.1 (localhost) is listed in your resolv.conf and forwarding is not set, which is typical but worth confirming.
2. If your mail server is separate from your RBL name server, then set up DNS on the mail server to resolve using the new RBL name server, i.e., make it forwarding for the RBL domains.
3. If the RBL zones are now served directly on a mail server where BIND was previously set up as forwarding, then you'll want remove the forwarding and set it up to resolve locally.

Notes:

Since the local server is not delegated to, it will not receive NOTIFY packets when the zone files are updated, so reloading BIND manually is required. A fancier script to only reload BIND when one of the zone files has actually changed would be an improvement.
One of the shortcomings of using BIND for this kind of slaving is highlighted above: the need to reload the name server frequently. BIND is particularly inefficient at this, causing DNS queries to be unanswered during reloads.
- In contrast, rbldnsd reloads much faster and can be set to keep serving queries during a reload, at the cost of double memory usage during the reload. However, rbldnsd memory usage has been reported to be 10 times less than BIND.
- And rbldnsd is about three times faster than BIND.
- Also rbldnsd by default looks for and loads changed zone files every 60 seconds, so it never needs manual reloads like BIND does.
The sc.surbl.org zone changes up to a few times per hour, but the others only change a few times per day at most. Therefore frequent reloads are probably not really necessary.
Other RBL zone files can also be served locally this way, but several RBLs only offer their zone files in rbldnsd format.

Version 1.02 by Jeff Chan on 2/1/05