[rbldnsd] Using rbldnsd to blacklist websites
Wayne Sherman
wsherman at gmail.com
Sat Jan 27 18:24:48 MSK 2007
Comments inline below...
Lyle wrote:
> ...for what you want to do you need a full featured dns server.
> RBLDNSD won't do forwarding like you want.
For now I am withdrawing from that idea. But, I don't think proxying
(not forwarding) to another server is that difficult. It does not even
take any parsing, just save the entire UDP request packet, forward the
entire packet to the real server, send the real servers UDP reply packet
back as your reply without even looking into either packet. The proxy
would only take place if rbldnsd does *not* have a blacklisted entry.
> Your client workstations are going to talk to one dns server.
> It has to give
> back the answer whether it's a legit ip address or 127.0.0.1 to
> 'blacklist'. RBLDNSD won't do that for you.
Correct. That is why I have been trying to use Bind as the primary
server and use forwarding.
> You already know that BIND
> won't ask someone else when rbldnsd doesn't know the answer. Even if
> rbldnsd doesn't give back NXDOMAIN, if you have told BIND to use rbldnsd
> as a forwarder, the search stops there no matter what answer rbldnsd
> give back.
The behavior you describe does not agree with the Bind docs. "Forward
Only" does what you describe. I want to use "Forward First":
"forward - ...A value of first, the default, causes the server to query
the forwarders first, and if that doesn’t answer the question the server
will then look for the answer itself."
> ...
> And then you won't be changing any source code and will be using off the
> shelf software. And then when a security issue is found in what you are
> using, you don't have to patch the source again and again and again.
I hoped to discuss this with the author, but he is silent at the moment.
At any rate, not being able to specify "." as a zone appears to me to
be a bug.
Thanks,
Wayne
More information about the rbldnsd
mailing list