[rbldnsd] The basics - help

amos at treenetnz.com amos at treenetnz.com
Wed Feb 14 23:51:28 MSK 2007 

> Hi folks,
>
> I just have a couple questions and I am currently trying to pin point if
> I'm doing this correctly.
>
> The scenario and setups are as follows.
>
> This is a Gentoo Linux distro.
> BIND version 9.4.0
> rbldnsd version 0.996
> Postfix version 2.3.7
>
> Sample of named.conf ...
>
> Seeting up a forward of each CIDR ip pool based on country.
>
> zone "AE.blocked.rbl" IN {
> type forward;
> forward first;
> forwarders {
> 127.0.0.1 port 530;
> };
> };
> zone "AF.blocked.rbl" IN {
> type forward;
> forward first;
> forwarders {
> 127.0.0.1 port 530;
> };
> };
> zone "AG.blocked.rbl" IN {
> type forward;
> forward first;
> forwarders {
> 127.0.0.1 port 530;
> };
> };

You may be able to reduce this bit of the configuration a lot by using:
zone "blocked.rbl" IN {
  type forward;
  forward first;
  forwarders {
  127.0.0.1 port 530;
  };
};

rbldnsd will return NXDOMAIN for _anything_ outside its specified and
correctly loaded zone content. This produces a possible answer to your
other question about UK.

The catch-22 is when you are wanting to publish any other subzone of
'blocked.rbl' that are not being served by rbldnsd.
Which is not usually the case but _might_ occur.

The rest of the configs look okay.

>
> -----------------------------------------
>
>
> I'm just trying to figure out if I'm getting this down right or not.
>
> I seem to have issues with (I think) not picking up some of the country
> like per say the UK codes.  They are still getting thru.  I'm just
> trying to get a grasp on if my approach is correct.  Any advice would be
> greatly appreciated.  If anyone needs more info I can provide that.
>
> Thanks folks.
>
> --Mosher

The results there depend on two very important things:

 - Where you are getting the country data.
    The RIR sources are well-known for their high rates of bad or
misleading content and the alternative manual efforts at fixing it are
by nature always behind the facts.

 - Whether the zones are all loading properly.
    Check your syslog or output from rbldnsd startup for lines with
wranings and errors. If a zonefile line cannot be validated it is
dropped from the live zone and the blocking-hit will never occur.


AYJ

More information about the rbldnsd mailing list