[rbldnsd] forwarding?

Chris Gabe chris at borderware.com
Thu Feb 9 17:52:08 MSK 2006 

On Feb 9, 2006, at 9:37 AM, Ronan wrote:

> Chris Gabe wrote:
>> Hoping I understand your topology correctly:
>>   system 1          system 2
>> [ SA + bind ] --> [ rbldnsd ]
>>          |           system 3
>>           \------> [ DNS server for other domains ]
>
> more like
> 	system 1
> 	[SA + bind + rbldnsd ]
> 		
> 		|		system 2
> 		 \------> [ DNS domain cache + server ]

OK.  Close enough...

>> Considering
>> [ SA + rbldnsd ] --> [ other DNS ]
>> rbldnsd does not forward queries.  It has an NS record but that  
>> doesn't forward, it gets returned in the response and leaves it to  
>> your resolver to recurse.  I may not have the right terminology  
>> but, I've been there, it doesn't do that.  YMMV
> pants, yeah thats what i thought.
>> I wouldn't use rbldnsd for general name service in any case,  
>> you'll run into issues with more esoteric DNS queries.  It's not  
>> intended for general DNS, in spite of some bits and pieces that  
>> get it half way there.
>> As an alternative, consider a small, efficient DNS resolver/ 
>> caching mechanism designed for that purpose.  dnsmasq is a good  
>> choice (I've been there, it *does* do that).  It lets you cache  
>> locally, very efficiently, while still being a full name service.
> yeah since ive been doing some reading it would appear that this  
> outperforms bind considerably
>   Just point your
>> resolver to it, configure it to go to your existing name server  
>> for cache misses.
> Thats exactly what I want to do... currently im only running SURBL  
> off of rbldnsd but I will probably want to include more in the  
> future. Anything else i just want to offload to our domain DNS's
>   It will still go off-box for the non-cached DNSBL
>> queries, but DNSBL's tend to have ttl's of an hour or more, so  
>> that's the exception case (you can even configure it to go direct  
>> to rbldnsd for the DNSBL domains, locally or on another ip, if you  
>> prefer).
> yeah we rsync twice hourly currently...
>> Actually, I'm surprised you notice bind taking up much,
> Im not sure it is atm im just eliminating any potential bottlenecks  
> before I make a case for new hardware from the boss! ;) but I do  
> think the system would benefit from running say dnsmasq, djbdns etc
>  compared to
>> email scanning, though it certainly is a horse performing a  
>> mouse's task if it's just doing the DNS on the SA system.
>
> yes thats all its doing currently
>
>  bind is overkill for that,
>> but SA is, like, a brontosaurus in that case.
>  Assuming it's opening the
>> email, which is kind of a given, right?
> ??

I mean, bind is way less than SA because SA opens the email, does  
Bayesian analysis etc.  The email is an average of 40K, say, whereas  
the dns query is a few hundred bytes, and if anything the email data  
is more heavily processed per byte.

> Ronan
>> On Feb 9, 2006, at 8:28 AM, Ronan wrote:
>>> Hi list,
>>>     I have been using rbldnsd for about a year now serving the  
>>> SURBL  zones for use with SA. Its been great. I am currently  
>>> using bind as a caching NS on the SA machine and was thinking of  
>>> moving to a more high performance cache.
>>>
>>> What im thinking of, and cant seem to find out from the site is  
>>> whether  rbldnsd could (running on standard #53 port ) be used to  
>>> serve the SURBL zones locally and for any other query forward to  
>>> our domain's main NS servers?
>>>
>>> Thanks IA
>>>
>>> Ronan
>>> --Ronan McGlue
>>> Analyst / Programmer
>>> CMC Systems Group
>>>
>>> Queens University Belfast
>>> _______________________________________________
>>> rbldnsd mailing list
>>> rbldnsd at corpit.ru
>>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>> _____________________________________________________________________ 
>> ___
>> Chris Gabe                                     Manager, Borderware  
>> Security Network
>> Phone: 905-804-1855 x283                        Fax:   905-804-1865
>> Borderware Technologies Inc.                   http:// 
>> www.borderware.com
>> _______________________________________________
>> rbldnsd mailing list
>> rbldnsd at corpit.ru
>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>
>
> -- 
> Ronan McGlue
> Analyst / Programmer
> CMC Systems Group
>
> Queens University Belfast
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd

________________________________________________________________________
Chris Gabe                                     Manager, Borderware  
Security Network
Phone: 905-804-1855 x283                        Fax:   905-804-1865
Borderware Technologies Inc.                   http://www.borderware.com

More information about the rbldnsd mailing list