[rbldnsd] Integrating rbldnsd with the rest of our DNS?

Michael Tokarev mjt at tls.msk.ru
Mon Dec 8 01:12:25 MSK 2003

Brian Bruns wrote:
> On Sunday, December 07, 2003 4:14 PM [GMT-5=EST],
> Robin Lynn Frank <rlfrank at paradigm-omega.com> wrote:
>>It appears I'm the only one in the world who does not know the answer
>>to this.
>>How do I get queries to go to our rbldnsd stuff?  Nothing in the docs.
>>Nothing in the list archives.  Nothing in the bind docs, website,
>>etc., and the O'Reilly DNS & Bind book has me drowning in information.

Hmm... I'm surprized.  Every BIND book should tell you about 2

  a) forward zones;
  b) zone sub-delegation.

> Use a forward zone.
> zone "dnsbl.ahbl.org" {
>         type forward;
>         forward first;
>         forwarders {; };
> };
> ( is the AHBL's primary DNSbl server, not commonly used by
> anyone else but us, but is there just in case we suddenly loose all of
> our mirror servers)

While this way is ok if you're caching someone else's blocklist like
ahbl.org or dsbl.org (but it still breaks normal DNS rules somehow:
it makes your zone to be somewhat different compared to what the rest
of the world sees), I myself prefer different approach - using zone
subdelegation.  Like:

  bl.corpit.ru NS blns.corpit.ru
  (blns.corpit.ru resolves to an IP address where rbldnsd is listening)

Now, we have e.g. trap.bl.corpit.ru (or local automatic spamtrap zone),
dsbl-list.bl.corpit.ru (local copy of list.dsbl.org) and others.  Ofcourse,
this way you'll need to query instead
of, but it's completely your zone and you may
do whatever you want with it.

If you don't want to expose your setup to the outside world, made rbldnsd
to listen on private address (inside your LAN), or made your blocklist
subzones in your private domain (like e.g. bl.office.int) and so on.

Note that this way all your nameservers (you may have several cahing NSes)
will be configured automagically, without a need to setup such forward
zone on each of them.


More information about the rbldnsd mailing list