[rbldnsd] Using rbldnsd to blacklist websites

Lyle lyle at lcrcomputer.net
Fri Jan 26 04:12:58 MSK 2007 

I think you need a full featured dns server.  RBLDNSD won't do forwarding.

I am doing that at one of my customer's.   I use BIND on Linux in
forwarding mode, but make that local dns server authoritive for those
abusive zones.  We are using a proxy server so I have pretty good stats
on the 'bad' sites that should not be viewed from the office...

I would suggest two machines so that you have some redundancy as all
your internal workstations will be using these two machines for all dns
queries.  Can be Windows, Unix or Linux or mac's.  Bind runs on all
these platforms.

Lyle

acl "internal" {
        10.0.0.0/8; 127.0.0.0/8; };
options {
        statistics-file"/etc/named/named.stats";
        allow-transfer { "internal"; } ;
        allow-recursion { "internal"; };
        directory "/etc/named";
        pid-file "named.pid";
        auth-nxdomain no;
        version "Hello from us";
        listen-on { 10.0.x.x; 127.0.0.1; };
        notify-source x.x.x.x;                              <-- not
really needed here.
        query-source address x.x.x.x;              <-- I need this as
this server is not the master for it's internal zones
  };
logging {
          category "lame-servers"
                 { "null";};
};

key rndc_key{
        algorithm hmac-md5;
        secret "whatever";
};
controls{
        inet 127.0.0.1 allow{
                localhost;
        }       keys{
                rndc_key;
        };
};
zone "100.0.0.in-addr.arpa" {
        type slave;
        file "db.100.0.0.in-addr.arpa";
        masters {x.x.x.x;};};                            <-- Master is
on another server outside of their building, needs the master to use
also-notify to send
      
                                                                     
notifications of zone changes to this server.  These two are not really
needed, but used for local caching
                                                                            
of internal data.
zone "mycompany.com" {
    type slave;
        file "db.mycompany.com";
    masters {x.x.x.x;};};

zone "baddomain.com"{                            <-- Your bad domain to
block.
        type master;
        file "db.baddomain.com";};

On slave change these last three lines to:

zone "baddomain.com"{
    type slave;
    file "db.baddomain.com";
    masters{10.0.0.0;};};                         <-- IP address of
master server.

contents of db.baddomain.com:

$ORIGIN @
$TTL 86400
@       in SOA me.mycompany.com. webmatser.mycompany.com. (
        2006022701 10800 3600 604800 86400)
        in ns me.mycompany.com.
        in a 127.0.0.1
www     in cname @
ftp     in cname @



Wayne Sherman wrote:
> Michael Tokarev,
>
>  I want to use rbldnsd to blacklist abusive websites in addition to,
> or instead of, spam hosts.  A common practice is to use the hosts file
> to block abusive
> websites by pointing them to a localhost address like 127.0.0.1.  See
> here:
>
> http://www.hosts-file.net/
> and
> http://www.mvps.org/winhelp2002/hosts.htm
>
> Using this technique can bog down a Windows machine, and only benefits
> one PC, not the whole LAN.  So I want to use a lightweight DNS server
> to filter out abusive domains for our whole network.
>
> I can create a script to convert the host file format into a valid
> rbldnsd dataset, but rbldns won't take "." (the root domain) as a domain:
>
> RBLDNSD=" \
> web-bl -r /var/lib/rbldnsd/web-bl -q -4 -b 192.168.141.7/53 \
>   .:dnset:test"
>
> My test file contains:
> .mydomain.com
> another.com
>
> I want to use rbldnsd to respond to normal domain queries like these:
>   badsite.com
>   avirussite.com
>   popupsite.net
>   anothervirus.fi
>
> These will have to work, without appending anything else onto the domain.
> The return value should return 127.0.0.2, another address of my choosing,
> or some kind of domain not found error.
>
> Is it possible to use rbldnsd in this way?  Can a DNS server (BIND or
> Windows 2003) be setup to forward queries for all its domains to
> rbldnsd first for blacklist checking?
>
> I have a feeling it might it be better to use rbldnsd as the primary
> DNS and have it be a proxy to the real DNS for domains it does not
> have listed.  That provides more control, and gives the option of
> returning
> a "domain not found" error to the requester for blacklisted domains.
>
> Another question, are you interested in adding a dataset type
> for "hosts" file syntax?
>
> Thanks,
>
> Wayne
>
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd

More information about the rbldnsd mailing list