Knot Resolver

Rspamd (a spam filter) requires your own recursive resolver. Knot Resolver is one of the modern DNS resolvers (another option is Unbound).

Install

According to the Knot-Resolver official installation instruction, follow the official repos for Debian/Ubuntu instruction to install the package from Knot Resolver repository.

sudo apt install apt-transport-https ca-certificates wget
sudo wget -O /usr/share/keyrings/cznic-labs-pkg.gpg https://pkg.labs.nic.cz/gpg
echo "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-resolver trixie main" | sudo tee /etc/apt/sources.list.d/cznic-labs-knot-resolver.list
sudo apt update
sudo apt install knot-resolver6

Configuration

Knot-Resolver default config /etc/knot-resolver/config.yaml doesn’t need any changes. It listens to 53(DNS) and accepts access only from localhost.
(Firewall also rejects access to DNS.)

Check if it works as expected

Check if Knot-Resolver returns the same answer as the default (your service provider’s) DNS.

$ dig a.root-servers.net
(snip)
;; ANSWER SECTION:
a.root-servers.net.     72939   IN      A       198.41.0.4

;; Query time: 0 msec
;; SERVER: (your provider)#53

$ dig a.root-servers.net @localhost
(snip)
;; ANSWER SECTION:
a.root-servers.net.     72939   IN      A       198.41.0.4

;; Query time: 0 msec
;; SERVER: ::1#53

This is the minimun configuration for Knot-Resolver, but enough to use as a dedicated resolver for Rspamd.
Please refer to the official documents for more details.