[rbldnsd] rbldnsd and blackholes.us

Michael Tokarev mjt at tls.msk.ru
Sat Oct 8 01:21:21 MSD 2005 

Vlad Z wrote:

Please don't send html email.
Please stop your MUA from turning IP addresses into HTML links.
Please don't top-post.
Please trim irrelevant quoting of previous emails.
Thank you.

[...]
> [root at squirrel rbldns]# cat logfile
> 1128715849 127.0.0.1 <http://127.0.0.1> 244.96.2.195.countries.blocked.rbl A IN: NOERROR/1/97
> 1128715875 127.0.0.1 <http://127.0.0.1> 244.96.2.195.countries.blocked.rbl A IN: NOERROR/1/97
> 1128716150 127.0.0.1 <http://127.0.0.1> 244.96.2.195.lv.countries.blocked.rbl A IN: NOERROR/1/100
> 1128716264 127.0.0.1 <http://127.0.0.1> 244.96.2.195.ca.countries.blocked.rbl A IN: NXDOMAIN/0/117

 From countries.rbl:

....
$DATASET ip4set lv @
:127.4.2.8:lv
127.4.2.8:127.0.0.2:Latvia
80.233.128.0/17
....
195.2.96.0/19
....

So, each country is made available as a subzone (lv in this case),
*and* as a main zone "countries" (note the $DATASET line, and the
"@" at the end).  So I was wrong saying the data is "subdivided"
into subzones - the main zone lists all countries.

So, the right usage of this data is to either list individual
subzones (countries) you're interested in blocking in your MTA,
or list the main zone and specify individual A values (127.4.2.8
for lv) of countries you want to block - again, in your MTA
settings.  For example, in Postfix, it's achieved either with
   reject_rhsbl_client lv.countries.blackholes.us,
   reject_rhsbl_client us.countries.blackholes.us,
   ...
(listing individual subzones), or with
   reject_rhsbl_client countries.blackholes.us=127.4.2.8,
   reject_rhsbl_client countries.blackholes.us=127.whatever,
   ...
(specifying individual A values and listing only the main zone).
Ie, one can't list the main zone without specifying A value(s)
of interest.

If you want to *white*-list some country and block everything,
use the subzone(s) of interest with *white*-listing operator
in MTA and reject the rest, like - hypotetical -
   permit_rhsbl_client ca.blackholes.us,
   permit_rhsbl_client us.blackholes.us,
   reject
(there's no such construct like permit_rhsbl_client in Postfix,
hence hypotetical).  Or equivalent with A value, like the above
example with reject_rhsbl_client.

And no, it is not possible to tell rbldnsd to whitelist
particular country(es) having countries.rbl datafile,
without editing that file (trivial editing in this case
is to remove the trailing "@" from $DATASET lines for
countries you want to whitelist).

/mjt

More information about the rbldnsd mailing list