[rbldnsd] Using rbldnsd to blacklist websites
Michael Tokarev
mjt at tls.msk.ru
Mon Jan 29 14:13:06 MSK 2007
Wayne Sherman wrote:
> Michael Tokarev wrote:
>> You can try to see how other codes works. To test REFUSED replies, add
>> an ACL "dataset" which contains address of your recursive/caching NS, so
>> that all queries from it will be REFUSED by rbldnsd.
>
> That works. If rbldnsd replies with REFUSE, bind looks up the request
> on its own:
[]
> So, (I know you don't like this) but how can I get rbldnsd to reply with
> REFUSE for all domain names it does not have entries for instead of
> NXDOMAIN?
I think you can hack the code a bit for that, it's not difficult.
In rbldnsd_packet.c:replypacket() (which you already tried to alter),
call 'refuse(DNS_R_REFUSED)' macro if `found' is zero, right before
the "now complete the reply: ..." comment, and probably a bit above
it as well, right after "if (qi.qi_dnlab == 0)" test (so that it'll
refuse queries to TLDs too).
As of adding an option to do all that from commandline/etc, I don't
think I'm about to do it. Not even because I think the whole thing
is ugly, but I'm not sure how to do it umm... properly. The logic
becomes quite unclear, that is - how, say, a dnset plus generic
datasets will work together, what to do with queries to the base DN
and things like that. And how to specify the new behaviour, too --
I mean, what option or directive to use, and how to describe it in
docs (if something is difficult to describe, usually it's because
it is done wrong).
/mjt
More information about the rbldnsd
mailing list