[rbldnsd] Using rbldnsd to blacklist websites

Michael Tokarev mjt at tls.msk.ru
Sun Jan 28 12:45:30 MSK 2007 

Wayne Sherman wrote:
> Lyle,
> 
> Thanks for the suggestions. I don't really want to use bind since it is
> slower and less memory efficient, see here:
> 
> http://www.njabl.org/rsync.html
> "Two of the biggest benefits of rbldnsd are speed and efficiency. When
> last loaded into bind, the dnsbl.njabl.org used about 90MB of memory.
> When we converted to using rbldnsd, the memory used by rbldnsd to load
> the same data (reformatted into rbldnsd compatible format) was about
> 8MB. rbldnsd on a Pentium Pro 180 answers queries about as fast as bind
> on a Pentium III 450. "

This statement applies to DNSBL zones, because of the way the thing is
stored internally (as 32bit IPv4 addresses instead of "1.2.3.4" domain
names)  For RHSBL zones (dnset), rbldnsd's less efficient, but I haven't
compared it with bind.

> I almost have it working. The first item, is to get rbldnsd working with
> the root domain ".". That is a valid domain, so I think there might be a
> parsing bug in rbldsnd when parsing out the parameter passed: ".:dnset:test"
> Looking at the source, I see the domain "." does not produce the
> "invalid domain name" error. It triggers "missing domain name" during a
> check of the *dataset type*:

For a DNSBL (or RHSBL), you have to specify a "root zone", which can't be "."
(root of all DNS).  The check is here for a reason.

By the way, you can work around this check (instead of just removing it in
source), by specifying several TLDs for your zones, like:

 com:dnset:com.data

where com.data contains:

  :127.0.0.2:Bad domain
  .baddom1
  .baddom2
  ...

Ditto for .net, .org, .biz etc...

> I also need to get bind to use rbldnsd as a forward server. If Bind
> forwards a BL domain to rbldnsd, it will get a 127.0.0.2 response. That
> works. The sticking point is when Bind asks for a non-listed domain.
> rbldnsd answers with NXDOMAIN which Bind happily returns to the querying
> PC. I need rbldnsd to answer with NOERROR/NODATA (NOERROR with an empty
> reply). In this case Bind will lookup the domain name itself. The Bind
> docs state:

You can not use rbldnsd, and any other standard nameserver, this way.
Seriously.

If you specify forwarder for BIND, and if that forwarder replies with
either OK or NXDOMAIN, BIND will return that reply back to the client.
If you set up rbldnsd as a global forwarder for bind, AND make rbldnsd
to be authoritative for root DNS zone (by removing that "bug" in rbldnsd
you mentioned), your clients will receive 127.0.0.2 for all queries for
listed ("bad") domains, or NXDOMAIN for just everything else.  In the
other words, you'll effectively turn your DNS into a global NXDOMAIN, and
nothing will work.

[]
> So I just need rbldnsd to "not answer the question" for non-blacklisted
> domains so Bind will "look for the answer itself". It seems like I can

Aha, here we go.

"Not answer" - how's that?  Just ignore the "not listed" queries and let
it time out?  Or what?

> make that change pretty easily in the source, but it would be nice to do
> it as a command line option. Even better would be some help from the
> author. In fact, it might be nice to to have the option to return
> NXDOMAIN for blacklisted web domains instead of 127.0.0.2. The browser
> then won't try to talk to localhost.

To me, it all looks like a.. umm... nonsense.  It's one large kludge.
Including usage of rbldnsd here.

I understand what you want to do and why.  But I don't think it can easily
be done without changes in your CACHING nameserver.

/mjt

More information about the rbldnsd mailing list