Unbound

When using postscreen in combination with blocklists such as zen.spamhaus.org you need to make sure that you do not use a DNS server that gets rate-limited.

One option to achieve this is running your own, and one option to do that is using unbound.

Install it using:

sudo apt install unbound

Configure a cronjob that regulary fetches the dns root server info, e.g.:

#!/bin/bash
wget https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints
sleep 1  # this is probably not needed
systemctl reload unbound

Then configure unbound:

# /etc/unbound/unbound.conf.d/server.conf
server:
    directory: "/etc/unbound"
    username: unbound
    qname-minimisation: yes
    root-hints: "/etc/unbound/root.hints" 
    interface: 127.0.0.1
    interface: ::1
    port: 53
    prefetch: yes

Then make your server use unbound as the dns resolver. If you use dhclient this can be achieved by adding the following line to /etc/dhcp/dhclient.conf:

supersede domain-name-servers 127.0.0.1;