[rbldnsd] Using rbldnsd to blacklist websites

[Michael Tokarev]

Wayne Sherman wrote:
>>> (I could test if this works with binds "forward first" with only #3
>>> implemented)
>>
>> You can easily hack it in, for testing.  Use generic dataset, add, say,
>> MX record for some name, and query that name for any other RR type
>> (like A for example) - you'll get positive (NOERROR) reply with empty
>> answer section (this can be done with any other NS as well).
> 
> I just tried this.  Here is a direct query of rbldnsd:
[]
>   After receiving an empty answer from rbldnsd, bind passed that back to
> the requester.  To be complete though, I should try test what happens

That's how it SHOULD work.  Exactly.  I gave you the above example just
so you'll be able to see that yourself ;)

With other return codes it may work differently, but I again refer you
to notes in my previous email.  It's a big kludge.

> when bind gets a non-authoritative "empty" answer.  Is there an easy way
> to make rbldnsd return the empty answer with the AA flag off?

Yes - don't fill in NS information, and don't use -a switch.
This way (w/o -a), rbldnsd will try to add NS info, but since there's
no NS info available, it'll not turn AA bit on.  If memory serves me
right anyway.

But that doesn't matter - BIND will just forward that "NOERROR + 0 answers"
reply back to that client, exactly the same way it does that with AA
reply.

What you need is either a DNS proxy which does this 'blocklisting' stuff,
or that blocklisting implemented inside the resolving nameserver.

/mjt