[rbldnsd] The basics - help

Steve E. Mosher steve at moshtech.com
Thu Feb 15 06:34:42 MSK 2007 

Hey folks,

Feb 14 19:29:00 mail-mx named[9581]: unexpected RCODE (REFUSED)
resolving '153.247.96.66.ZM.blocked.rbl/A/IN': 127.0.0.1#530
Feb 14 19:29:00 mail-mx named[9581]: unexpected RCODE (REFUSED)
resolving '153.247.96.66.ZR.blocked.rbl/A/IN': 127.0.0.1#530

Is this normal in the syslog when using rbldnsd with BIND?

--Mosher

> -----Original Message-----
> From: rbldnsd-bounces at corpit.ru [mailto:rbldnsd-bounces at corpit.ru] On
> Behalf Of Michael Tokarev
> Sent: Wednesday, February 14, 2007 1:52 PM
> To: rbldnsd at corpit.ru
> Subject: Re: [rbldnsd] The basics - help
> 
> amos at treenetnz.com wrote:
> []
> >> Seeting up a forward of each CIDR ip pool based on country.
> >>
> >> zone "AE.blocked.rbl" IN {
> >> type forward;
> >> forward first;
> >> forwarders {
> >> 127.0.0.1 port 530;
> >> };
> >> };
> 
> First of all this "forward first" is WRONG.  It directs BIND to query
> the given nameserver (127.0.0.1:530 in this case) AND if that failed,
> process normally starting from regular root nameservers.  This way,
> if rbldnsd is, say, reloading and thus not answering promptly, you'll
> get NXDOMAIN for existing entries.
> 
> Please follow this simple rule: For all your internal domains, don't
> let queries out.
> 
> []
> > You may be able to reduce this bit of the configuration a lot by
using:
> > zone "blocked.rbl" IN {
> >   type forward;
> >   forward first;
> 
> ditto
> 
> >   forwarders {
> >   127.0.0.1 port 530;
> >   };
> > };
> >
> > rbldnsd will return NXDOMAIN for _anything_ outside its specified
and
> > correctly loaded zone content. This produces a possible answer to
your
> > other question about UK.
> 
> This is wrong.  rbldnsd will return REFUSED for any base zone not
> specified
> on the command line.  Say, you loaded a.rbl and b.rbl, and query for
c.rbl
> -
> rbldnsd will correctly return REFUSED because it doesn't know anything
> about
> it and can't perform recursive lookups.
> 
> But together with the above mistake ("forward first"), the whole thing
> WILL
> work - it's a rare case where two minuses gives a plus as a result.
But
> it's
> only visible plus - internally the query goes thru outside nameservers
> which
> it shouldn't.
> 
> /mjt
> 
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd

More information about the rbldnsd mailing list