[rbldnsd] Problems configuring BIND 9 with rbldnsd

[Michael Tokarev]

Aaron K. Moore wrote:
> I'm new to some of this and am having a few problems.
>  
> I have rbldnsd configured and running on port 530 as per the directions
> at http://www.tqmcube.com/rbldnsd.php . 

They're talking about linux there.  On linux, the whole 127.0.0.0/8
range (all IP addresses from it) is available as local addresses.
Instead of using non-standard port, I'd recommend to use 'spare'
IP address for rbldnsd in that range, in case both BIND and rbldnsd
are on the same machine.  Use eg 127.1.2.3 address for rbldnsd (and
standard port 53), and use that same address in named.conf.  So the
two cases are collapsing into one.  This way, you will be able to
easily query rbldnsd alone, by specifying just an appropriate IP
address (not all dns tools allows you to specify alternative port
number).  But ok.

Another suggestion/correction for the setup outlined on that URL
is to NOT use 'forward first' statements.  For a private zone
(eg hosts.blocked.rbl - .rbl is not a valid top-level domain in
public DNS), sending any query to official public nameservers
makes no sense, except of additional load on those servers and
extra traffic, both useless.  For internal top-level domains,
one has to use 'forward always' directive, to tell BIND to NEVER
query any other servers, as none of them knows anything about
that .rbl zone anyway.

I'd like to send the above to TQMCube, but I found no email
address on their site except of some mentions of a 'contact form'
(which I didn't find either), and spamtrap address shown on every
page (SysAdmin@).  So if anyone know how to contact them, please
forward the above to them.. ;)

> I can successfully query rbldnsd directly using dig, but when I try to
> get bind to forward requests the requests to rbldnsd it completely
> ignores the forward entry and tries to resolve them using the root servers.
>  
> Any ideas?  This is the first I've done anything with bind and I'm
> stumped as to what's going wrong.

No ideas.  It might be that BIND tries to send its first query to the
wrong IP address (or port), and, due to 'forward first' (as opposed to
'forward always', failing the first attempt, goes to official root
nameservers (and receives "Domain does not exist" reply).  You have
to check whenever BIND and rbldnsd configurations matches each other,
that both are using current configuration (did you forget restarting
or reloading them?), or if that all seems to be ok, try stracing your
named process (while it's doing nothing else ofcourse), to see what's
going on.  The overall configuration "idea" should Just Work, even with
the above two minor remarks.

> Fedora Core 1 with the latest legacy updates.
>  
> bind-utils-9.2.2.P3-9
> bind-chroot-9.2.2.P3-9

Another possibility: if you're running named in a chroot jail, how
about checking configuration - I don't remember how it's done in
bind9, but for bind8, it first chroots to a named directory (-t
option), and only after that it opens the configuration file. So
real conffile isn't /etc/bind.conf, but /var/chroot/named/bind.conf
(just example names, exact locations may be different but you got
an idea anyway).

> bind-9.2.2.P3-9
> caching-nameserver-7.2-10
>  
> Thanks.
>  
> Aaron

/mjt