[rbldnsd] Using rbldnsd to blacklist websites

Wayne Sherman wsherman at gmail.com
Sat Jan 27 06:20:49 MSK 2007 

Lyle,

Thanks for the suggestions. I don't really want to use bind since it is 
slower and less memory efficient, see here:

http://www.njabl.org/rsync.html
"Two of the biggest benefits of rbldnsd are speed and efficiency. When 
last loaded into bind, the dnsbl.njabl.org used about 90MB of memory. 
When we converted to using rbldnsd, the memory used by rbldnsd to load 
the same data (reformatted into rbldnsd compatible format) was about 
8MB. rbldnsd on a Pentium Pro 180 answers queries about as fast as bind 
on a Pentium III 450. "

I almost have it working. The first item, is to get rbldnsd working with 
the root domain ".". That is a valid domain, so I think there might be a 
parsing bug in rbldsnd when parsing out the parameter passed: ".:dnset:test"
Looking at the source, I see the domain "." does not produce the 
"invalid domain name" error. It triggers "missing domain name" during a 
check of the *dataset type*:

(rbldnsd_zones.c - line 140)
if (!dn[0]) {
if (!isdstype(ds->ds_type, acl))
error(0, "missing domain name in `%.60s'", spec);
if (g_dsacl)
error(0, "global acl specified more than once");
g_dsacl = ds;
}

Is this due to a bug in the parsing code of the "newdataset" function? 
or a problem in what is passed to that function?

I also need to get bind to use rbldnsd as a forward server. If Bind 
forwards a BL domain to rbldnsd, it will get a 127.0.0.2 response. That 
works. The sticking point is when Bind asks for a non-listed domain. 
rbldnsd answers with NXDOMAIN which Bind happily returns to the querying 
PC. I need rbldnsd to answer with NOERROR/NODATA (NOERROR with an empty 
reply). In this case Bind will lookup the domain name itself. The Bind 
docs state:

"forward - This option is only meaningful if the forwarders list is not 
empty. A value of first, the
default, causes the server to query the forwarders first, and if that 
doesn’t answer the question
the server will then look for the answer itself."

So I just need rbldnsd to "not answer the question" for non-blacklisted 
domains so Bind will "look for the answer itself". It seems like I can 
make that change pretty easily in the source, but it would be nice to do 
it as a command line option. Even better would be some help from the 
author. In fact, it might be nice to to have the option to return 
NXDOMAIN for blacklisted web domains instead of 127.0.0.2. The browser 
then won't try to talk to localhost.

Thanks,

Wayne


Lyle wrote:
> I think you need a full featured dns server.  RBLDNSD won't do forwarding.
>
> I am doing that at one of my customer's.   I use BIND on Linux in
> forwarding mode, but make that local dns server authoritive for those
> abusive zones.  We are using a proxy server so I have pretty good stats
> on the 'bad' sites that should not be viewed from the office...
>
> I would suggest two machines so that you have some redundancy as all
> your internal workstations will be using these two machines for all dns
> queries.  Can be Windows, Unix or Linux or mac's.  Bind runs on all
> these platforms.
>
> Lyle
>
> acl "internal" {
>         10.0.0.0/8; 127.0.0.0/8; };
> options {
>         statistics-file"/etc/named/named.stats";
>         allow-transfer { "internal"; } ;
>         allow-recursion { "internal"; };
>         directory "/etc/named";
>         pid-file "named.pid";
>         auth-nxdomain no;
>         version "Hello from us";
>         listen-on { 10.0.x.x; 127.0.0.1; };
>         notify-source x.x.x.x;                              <-- not
> really needed here.
>         query-source address x.x.x.x;              <-- I need this as
> this server is not the master for it's internal zones
>   };
> logging {
>           category "lame-servers"
>                  { "null";};
> };
>
> key rndc_key{
>         algorithm hmac-md5;
>         secret "whatever";
> };
> controls{
>         inet 127.0.0.1 allow{
>                 localhost;
>         }       keys{
>                 rndc_key;
>         };
> };
> zone "100.0.0.in-addr.arpa" {
>         type slave;
>         file "db.100.0.0.in-addr.arpa";
>         masters {x.x.x.x;};};                            <-- Master is
> on another server outside of their building, needs the master to use
> also-notify to send
>       
>                                                                      
> notifications of zone changes to this server.  These two are not really
> needed, but used for local caching
>                                                                             
> of internal data.
> zone "mycompany.com" {
>     type slave;
>         file "db.mycompany.com";
>     masters {x.x.x.x;};};
>
> zone "baddomain.com"{                            <-- Your bad domain to
> block.
>         type master;
>         file "db.baddomain.com";};
>
> On slave change these last three lines to:
>
> zone "baddomain.com"{
>     type slave;
>     file "db.baddomain.com";
>     masters{10.0.0.0;};};                         <-- IP address of
> master server.
>
> contents of db.baddomain.com:
>
> $ORIGIN @
> $TTL 86400
> @       in SOA me.mycompany.com. webmatser.mycompany.com. (
>         2006022701 10800 3600 604800 86400)
>         in ns me.mycompany.com.
>         in a 127.0.0.1
> www     in cname @
> ftp     in cname @
>
>
>
> Wayne Sherman wrote:
>   
>> Michael Tokarev,
>>
>>  I want to use rbldnsd to blacklist abusive websites in addition to,
>> or instead of, spam hosts.  A common practice is to use the hosts file
>> to block abusive
>> websites by pointing them to a localhost address like 127.0.0.1.  See
>> here:
>>
>> http://www.hosts-file.net/
>> and
>> http://www.mvps.org/winhelp2002/hosts.htm
>>
>> Using this technique can bog down a Windows machine, and only benefits
>> one PC, not the whole LAN.  So I want to use a lightweight DNS server
>> to filter out abusive domains for our whole network.
>>
>> I can create a script to convert the host file format into a valid
>> rbldnsd dataset, but rbldns won't take "." (the root domain) as a domain:
>>
>> RBLDNSD=" \
>> web-bl -r /var/lib/rbldnsd/web-bl -q -4 -b 192.168.141.7/53 \
>>   .:dnset:test"
>>
>> My test file contains:
>> .mydomain.com
>> another.com
>>
>> I want to use rbldnsd to respond to normal domain queries like these:
>>   badsite.com
>>   avirussite.com
>>   popupsite.net
>>   anothervirus.fi
>>
>> These will have to work, without appending anything else onto the domain.
>> The return value should return 127.0.0.2, another address of my choosing,
>> or some kind of domain not found error.
>>
>> Is it possible to use rbldnsd in this way?  Can a DNS server (BIND or
>> Windows 2003) be setup to forward queries for all its domains to
>> rbldnsd first for blacklist checking?
>>
>> I have a feeling it might it be better to use rbldnsd as the primary
>> DNS and have it be a proxy to the real DNS for domains it does not
>> have listed.  That provides more control, and gives the option of
>> returning
>> a "domain not found" error to the requester for blacklisted domains.
>>
>> Another question, are you interested in adding a dataset type
>> for "hosts" file syntax?
>>
>> Thanks,
>>
>> Wayne
>>
>> _______________________________________________
>> rbldnsd mailing list
>> rbldnsd at corpit.ru
>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>>     
>
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
>
>

More information about the rbldnsd mailing list