May 252016

in order to make rbldnsd as rhsbl authoritative nameserver for unbound, the simple way is to create stub-zone like this:

        name: ""

if we configured unbound as iterator and validator, this minimal configuration will not work. when you query for example:

# dig

we will get “SERVFAIL” replied.
the simple way is by turned off validator function in unbound, but if we still want validator function in unbound, we can simply exclude our rhsbl zone in stub-zone as insecure domain.

domain-insecure: ""

now, we wlll get reply as expected

# dig +short

and in rbldnsd start up config

RBLDNSD="dsbl -r/var/lib/rbldnsd -t 300 -b"

happy blacklisting 😀

combined with script here: we can use it as header_checks map. here’s the result:

May 25 19:11:31 mx1 postfix/cleanup[146988]: 68A203080DD: reject: header From: Dominic McXXX <> from[]; from=<> to=<> proto=ESMTP helo=<spammer>: 5.7.1, which appears in the 'From' header, is listed on
Oct 192012

This is not new idea, actually. someone at spamassassin plugin developers have been made before. basically, the idea was put email addresses in RBLDNSD zone dnset format, ie:



So, we replace @ sign into dot (.) sign. that way, we can save the email addresses into the RBLDNSD dnset zone.


create emailbl zone, meta information


: $ - Not receiving email right now.


$NS 1w
$SOA 1w 0 2h 2h 1w 1h
$DATASET generic @
@ A
@ MX 10
@ TXT "example email blocklist"

in /etc/sysconfig/rbldnsd

RBLDNSD="dsbl -r/var/lib/rbldns/dsbl -t 300 -b \,emailbl

ofcourse we should delegate the subdomain in authoritative nameserver

; subdomain delegation	IN NS			IN A

start rbldnsd service

service rbldnsd start

Continue reading »