[rbldnsd] Using rbldnsd to blacklist websites
Wayne Sherman
wsherman at gmail.com
Mon Jan 29 01:14:16 MSK 2007
Michael Tokarev wrote:
> You can try to see how other codes works. To test REFUSED replies, add
> an ACL "dataset" which contains address of your recursive/caching NS, so
> that all queries from it will be REFUSED by rbldnsd.
That works. If rbldnsd replies with REFUSE, bind looks up the request
on its own:
Query of rbldnsd directly
[root at grump ~]# dig A google.com @localhost
; <<>> DiG 9.3.3rc2 <<>> A google.com @localhost
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48487
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 28 14:06:24 2007
;; MSG SIZE rcvd: 28
Query of bind with "forward first" to rbldnsd:
[root at grump ~]# dig A google.com @grump
; <<>> DiG 9.3.3rc2 <<>> A google.com @grump
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26064
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 64.233.167.99
google.com. 300 IN A 64.233.187.99
google.com. 300 IN A 72.14.207.99
;; AUTHORITY SECTION:
google.com. 345121 IN NS ns3.google.com.
google.com. 345121 IN NS ns4.google.com.
google.com. 345121 IN NS ns1.google.com.
google.com. 345121 IN NS ns2.google.com.
;; Query time: 103 msec
;; SERVER: 192.168.141.7#53(192.168.141.7)
;; WHEN: Sun Jan 28 14:13:27 2007
;; MSG SIZE rcvd: 148
So, (I know you don't like this) but how can I get rbldnsd to reply with
REFUSE for all domain names it does not have entries for instead of
NXDOMAIN?
Thanks,
Wayne
More information about the rbldnsd
mailing list