"How to" - Local DNS Resolver for Proxmox Mail Gateway

ChFin

Well-Known Member
Jan 30, 2018
51
16
48
In the PMG Admin Manual the following DNS recommendation is proposed:

DNS recommendations
Many tests to detect SPAM mails use DNS queries, so it is important to have a fast and reliable DNS server. We also query some public available DNS Blacklists. Most of them apply rate limits for clients, so they simply will not work if you use a public DNS server (because they are usually blocked). We recommend to use your own DNS server, which need to be configured in recursive mode.​

In this "How To" it is explained how you can setup a IPv4 caching DNS server (resolver) on top on Debian 9 (stretch).

The bind software is available in the local debian repository. So just make sure that your system is up to date and install the bind components.

# apt-get update && apt-get dist-upgrade
# apt-get install bind9 bind9utils bind9-doc

After the bind components are installed you can configure the service.

# cd /etc/bind
# vi named.conf.options


Above the "options" block create a new block called "acl". Call the new group "goodclients".
Within this block list the IP addresses or networks that should be allowed to query the DNS service.
(also 'localhost' and/or 'localnets' can be used)

acl goodclients {
localhost;
localnets;
};


options {
. . .


Now we can configure the "options" block. Explicitly turn recursion on and then configure the allow-query parameter to allow to use our ACL specification.

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

. . .

As we use only IPv4, comment the listen-on-v6 parameter or set it to

listen-on-v6 { none; };

Edit the bind startup options to enforce IPv4.

# vi /etc/default/bind9

Inside, modify the "OPTIONS" parameter to include the '-4' flag

OPTIONS="-u bind -4"

Finally check your named configuration. If you have syntax errors correct them.

# named-checkconf

Edit resolv.conf to use your local resolver

# vi /etc/resolv.conf

search . . .

nameserver 127.0.0.1

When you have verified that your configuration is without syntax errors restart the DNS service and keep an eye on the logfiles (daemon.log, mail.log, ...).

# systemctl restart bind9.service


*** Now all DNS Tests done by PMG should work without being blocked due to rate limits ***
 
Last edited:
  • Like
Reactions: uy01 and DerDanilo
I used dnsmasq but bind obviously works too :-) Even though it already works for me, still thanks for sharing. Guess plenty of people will hit the blocklist rate limits
 
  • Like
Reactions: EDSON MARIO
How to check your outside IPv4/IPv6 of your DNS Server (Who am I):
# dig o-o.myaddr.l.google.com -t txt +short

# dig -t a whoami.v4.powerdns.org +short
# dig -t aaaa whoami.v6.powerdns.org +short

# dig -t txt whoami.v4.powerdns.org +short
# dig -t txt whoami.v6.powerdns.org +short

# dig -t txt whoami-ecs.v4.powerdns.org +short
# dig -t txt whoami-ecs.v6.powerdns.org +short

# dig -t a whoami.akamai.net +short
# dig -t aaaa whoami.akamai.net +short
 
"Dnsmasq is a DNS query forwarder: it it not capable of recursively answering arbitrary queries starting from the root servers but forwards such queries to a fully recursive upstream DNS server which is typically provided by an ISP." (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html)

You need a recursive DNS resolver ... (not a forwarder)

For me the important part was to get my own quota, not to really cache internally. The provider was just constantly hitting the RBL quota. Maybe I'll need to setup bind at some point, so far I'm ok. Anyhow normally bind might be the better option!
 
In the PMG Admin Manual the following DNS recommendation is proposed:

DNS recommendations
Many tests to detect SPAM mails use DNS queries, so it is important to have a fast and reliable DNS server. We also query some public available DNS Blacklists. Most of them apply rate limits for clients, so they simply will not work if you use a public DNS server (because they are usually blocked). We recommend to use your own DNS server, which need to be configured in recursive mode.​

In this "How To" it is explained how you can setup a IPv4 caching DNS server (resolver) on top on Debian 9 (stretch).

The bind software is available in the local debian repository. So just make sure that your system is up to date and install the bind components.

# apt-get update && apt-get dist-upgrade
# apt-get install bind9 bind9utils bind9-doc

After the bind components are installed you can configure the service.

# cd /etc/bind
# vi named.conf.options


Above the "options" block create a new block called "acl". Call the new group "goodclients".
Within this block list the IP addresses or networks that should be allowed to query the DNS service.
(also 'localhost' and/or 'localnets' can be used)

acl goodclients {
localhost;
localnets;
};


options {
. . .


Now we can configure the "options" block. Explicitly turn recursion on and then configure the allow-query parameter to allow to use our ACL specification.

options {
directory "/var/cache/bind";

recursion yes;
allow-query { goodclients; };

. . .

As we use only IPv4, comment the listen-on-v6 parameter or set it to

listen-on-v6 { none };

Edit the bind startup options to enforce IPv4.

# vi /etc/default/bind9

Inside, modify the "OPTIONS" parameter to include the '-4' flag

OPTIONS="-u bind -4"

Finally check your named configuration. If you have syntax errors correct them.

# named-checkconf

Edit resolv.conf to use your local resolver

# vi /etc/resolv.conf

search . . .

nameserver 127.0.0.1

When you have verified that your configuration is without syntax errors restart the DNS service and keep an eye on the logfiles (daemon.log, mail.log, ...).

# systemctl restart bind9.service


*** Now all DNS Tests done by PMG should work without being blocked due to rate limits ***
Where does one define the upstream DNS servers?
 
i had to change:
listen-on-v6 { none };

to
listen-on-v6 { none; };

thanks for this HOWTO. i suggest to strik it. I also suggest to include local recursive dns by defaul tin next releases.
 
No, the documentation is core part of the product itself (via the help button). For now, please howtos just in the forum.
Can we have a new section for how to's in the forum then, please?
Easier to have them connected.

Otherwise tagging might work of the forum can create lists of posts based on tags.
 
  • Like
Reactions: guletz
I'm using "unbound" as DNS resolver, it's not as, erm, "matured" like bind. unbound is easy to configure, can do DNSSEC validation.

This is my current configuration:
Code:
#
# server section
#
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    # interfaces
    interface: 127.0.0.1
    interface: ::1
    # ACLS
    access-control: 10.0.0.0/8 allow
    access-control: 172.16.0.0/12 allow
    access-control: 192.168.0.0/16 allow
    # some config options
    so-rcvbuf: 4m
    so-sndbuf: 4m
    msg-cache-size: 8m
    rrset-cache-size: 8m
    cache-max-ttl: 14400
    cache-min-ttl: 900
    minimal-responses: yes
    qname-minimisation: yes
    use-caps-for-id: yes
    do-ip6: yes
    hide-identity: yes
    hide-version: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-below-nxdomain: yes
    prefetch: yes
    rrset-roundrobin: yes
    key-cache-size: 8m
 
Another option: PowerDNS
Install: apt-get install pdns-recursor -y
Edit allow-from: nano /etc/powerdns/recursor.conf
Restart things: /etc/init.d/pdns-recursor restart
Set local recursor: nano /etc/resolv.conf
Restart network: systemctl restart networking
Test things: dig google.com
 
I googled some documentation about resolvers, their speed, reliability and how fast they reject unknown queries, work on timeouts etc. It looked like that Unbound is most reliable for the use in PMG environment.
Dear Danilo,

Can u explian me how to install and configure UNBOUND in my Proxmox Email gateway ?

Regards,
Liju
 
I'm using "unbound" as DNS resolver, it's not as, erm, "matured" like bind. unbound is easy to configure, can do DNSSEC validation.

This is my current configuration:
Code:
#
# server section
#
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    # interfaces
    interface: 127.0.0.1
    interface: ::1
    # ACLS
    access-control: 10.0.0.0/8 allow
    access-control: 172.16.0.0/12 allow
    access-control: 192.168.0.0/16 allow
    # some config options
    so-rcvbuf: 4m
    so-sndbuf: 4m
    msg-cache-size: 8m
    rrset-cache-size: 8m
    cache-max-ttl: 14400
    cache-min-ttl: 900
    minimal-responses: yes
    qname-minimisation: yes
    use-caps-for-id: yes
    do-ip6: yes
    hide-identity: yes
    hide-version: yes
    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-glue: yes
    harden-below-nxdomain: yes
    prefetch: yes
    rrset-roundrobin: yes
    key-cache-size: 8m


IS DNS sec Validiation config is free to use for everyone?
 
I started using Ansible more and more. I can provide you with the Ansible code if you wish.
 
[QUOTE = "DerDanilo, publicación: 281845, miembro: 42891"]
Empecé a usar Ansible cada vez más. Puedo proporcionarle el código Ansible si lo desea.
[/CITAR]

Si aun tienes el servicio operativo, puedes compartir las guia codigos?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!