[rbldnsd] Using rbldnsd to blacklist websites
Wayne Sherman
wsherman at gmail.com
Sun Jan 28 22:37:59 MSK 2007
>> (I could test if this works with binds "forward first" with only #3
>> implemented)
>
> You can easily hack it in, for testing. Use generic dataset, add, say,
> MX record for some name, and query that name for any other RR type
> (like A for example) - you'll get positive (NOERROR) reply with empty
> answer section (this can be done with any other NS as well).
I just tried this. Here is a direct query of rbldnsd:
[root at grump ~]# dig A ex.com @localhost
; <<>> DiG 9.3.3rc2 <<>> A ex.com @localhost
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60699
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ex.com. IN A
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 28 11:26:11 2007
;; MSG SIZE rcvd: 24
Here is a query of bind using a rbldnsd as a "forward first":
[root at grump ~]# dig A ex.com @grump
; <<>> DiG 9.3.3rc2 <<>> A ex.com @grump
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13710
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ex.com. IN A
;; Query time: 5 msec
;; SERVER: 192.168.141.7#53(192.168.141.7)
;; WHEN: Sun Jan 28 11:32:03 2007
;; MSG SIZE rcvd: 24
After receiving an empty answer from rbldnsd, bind passed that back
to the requester. To be complete though, I should try test what happens
when bind gets a non-authoritative "empty" answer. Is there an easy way
to make rbldnsd return the empty answer with the AA flag off?
Thanks,
Wayne
More information about the rbldnsd
mailing list