Bind DNS: override RBL TTL

When you have spamfiltering using external blocklists you may quickly run out of credits because those lists set an absurd low TTL in the DNS responses. The common Bind nameserver does not allow you to set the minimum cache TTL and for good reasons, because normally you should never override that caching time out. It is the nightmare of every system admin when you have to quickly update the DNS records but they don’t propagate in time to the clients. No matter how low you set the TTL in advance, there is always a messed up ISP somewhere that is setting everything to expire after 24 hours. Crazy. However, in the case of filter lists with extremely low TTLs it is a must to override this value. Otherwise you are constantly blocked for overuse because of a long running inbound spam campaign. But my resolver Bind9 does not allow changing the minimal time-to-live.

Now I could have switched to another nameserver process but then I’d run into problems with Plesk and other tools that rely on Bind. I resolved this by installing unbound on a different port and have Bind forward those filter zones to unbound, which does allow TTL overrides. This way the normal DNS traffic will use the original TTLs while only certain configured zones use my custom settings.

Install unbound

yum install unbound
wget -O /etc/unbound/root.hints https://www.internic.net/domain/named.root
chown root:unbound /etc/unbound/root.hints
nano /etc/unbound/unbound.conf

Find and update the settings below:

port: 20053
root-hints: "/etc/unbound/root.hints"

# Allow `dig +trace` for debug
access-control: 127.0.0.0/8 allow_snoop
access-control: ::1 allow_snoop

# 1 hour minimum TTL is more reasonable
cache-min-ttl: 3600

# 3 hours max to reduce the effect of bad listings
cache-max-ttl: 10800

And start unbound

systemctl enable unbound
systemctl start unbound

Now unbound is configured and running. Time to hook it up to Bind.

Configure Bind

nano /etc/named.conf

If you have Plesk installed, then find these lines and add these zones between them:

// -- PLEASE ADD YOUR CUSTOM DIRECTIVES BELOW THIS LINE. --
// ...
// -- END OF YOUR CUSTOM DIRECTIVES. --

Add the forwarding zones. I don’t specify their exact hostnames like zen.spamhaus.org to target their entire zone.

// Forward these zones to unbound for higher TTL overrides
zone "abusix.zone" {
     type forward;
     forward only;
     forwarders { 127.0.0.1 port 20053; };
};

zone "senderscore.com" {
     type forward;
     forward only;
     forwarders { 127.0.0.1 port 20053; };
};

zone "spamhaus.org" {
     type forward;
     forward only;
     forwarders { 127.0.0.1 port 20053; };
};

And reload the Bind config

rndc reload

From now on the configured zones are sent to unbound which will request the records directly at their source. This prevents issues with external caching servers that are already blocked at the lists. Unbound will alter the TTL response values to fit within the cache-min-ttl and cache-max-ttl settings. Bind is still doing the actual caching, so there is no need to optimize the unbound configuration to handle lots of requests.

Like this article?
Buy me a coffee

Related stuff

Leave a Comment

Your email address will not be published. Required fields are marked *