[rbldnsd] Using rbldnsd to blacklist websites

[Wayne Sherman]

> For a DNSBL (or RHSBL), you have to specify a "root zone", which can't be "."
> (root of all DNS).  The check is here for a reason.

Understood.  rbldnsd was not designed for my usage.

> By the way, you can work around this check (instead of just removing it in
> source), by specifying several TLDs for your zones, like:
> 
>  com:dnset:com.data
> 
> where com.data contains:
> 
>   :127.0.0.2:Bad domain
>   .baddom1
>   .baddom2
>   ...
> 
> Ditto for .net, .org, .biz etc...

That is how I have been testing.  I have to parse and reformat the 
"hosts" files anyway, I might as well split them up into different 
dataset files.  Does having multiple datasets like this have any 
performance implications, either positive or negative?

> You can not use rbldnsd, and any other standard nameserver, this way.
> Seriously.
> 
> If you specify forwarder for BIND, and if that forwarder replies with
> either OK or NXDOMAIN, BIND will return that reply back to the client.
> If you set up rbldnsd as a global forwarder for bind, AND make rbldnsd
> to be authoritative for root DNS zone (by removing that "bug" in rbldnsd
> you mentioned), your clients will receive 127.0.0.2 for all queries for
> listed ("bad") domains, or NXDOMAIN for just everything else.  In the
> other words, you'll effectively turn your DNS into a global NXDOMAIN, and
> nothing will work.

Understood.  Since rbldnsd is told to be authoritative for a zone "." or 
".com", if it doesn't have a record under those zones it returns 
NXDOMAIN as designed and typically expected.

>> So I just need rbldnsd to "not answer the question" for non-blacklisted
>> domains so Bind will "look for the answer itself". It seems like I can
> 
> Aha, here we go.
> 
> "Not answer" - how's that?  Just ignore the "not listed" queries and let
> it time out?  Or what?

Those quotes are from the bind reference guide here:
http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#options
(under the "forward" keyword)

Exactly what the documentation means by "not answer the question" is not 
explained.  I think a NOERROR reply with the answer section empty would 
do it.  Replying that way is mentioned here in a different context:

http://www.cctec.com/maillists/nanog/historical/0204/msg00559.html

"We've noticed that some sites like news.bbc.co.uk are running broken 
DNS servers that return NXDOMAIN for AAAA queries rather than NOERROR 
with zero answers."

"there are name server implementations (probably load balancing product)
that responds with NXDOMAIN, when it should respond with NOERROR with 
empty reply."

>> make that change pretty easily in the source, but it would be nice to do
>> it as a command line option. Even better would be some help from the
>> author. In fact, it might be nice to to have the option to return
>> NXDOMAIN for blacklisted web domains instead of 127.0.0.2. The browser
>> then won't try to talk to localhost.
> 
> To me, it all looks like a.. umm... nonsense.  It's one large kludge.
> Including usage of rbldnsd here.

I understand rbldnsd is designed to be an rbl for email systems, and it 
works a certain way according to that purpose.  I need a "WEBDNSBL" 
server (my own term) which works in slightly different way.  But, 
rbldnsd *already does 99.9%* of what a WEBDNSBL would need.  *If* bind 
works the way I think, then rbldnsd just needs one or two things to be a 
good WEBDNSBL:

1) Return some predefined address (like 127.0.0.2) for all BL entries
    (rbldnsd already does this now with no changes)

2) *or optionally* return NXDOMAIN for all BL entries
    (not strictly required, but might be nice to have, since a browser
    would not waste time trying to access a page at the loopback address)

3) Return NOERROR with an empty answer section for domains names it does 
not have.

(I could test if this works with binds "forward first" with only #3 
implemented)

> I understand what you want to do and why.  But I don't think it can easily
> be done without changes in your CACHING nameserver.

You may be right, but it depends on binds behavior and what exactly 
triggers it to "find the answer on its own" when using the "forward 
first" option.

Thanks for your reply,

Wayne Sherman