[rbldnsd] managing 'thousands' of zones in RBLDNSd rather than Bind9?

Wed Aug 29 03:01:30 MSD 2007

snowcrash+rbldnsd wrote:
> hi,
> 
> i have a small, resource-thin (soekris 4801, 256MB RAM) freebsd box as
> a network-edge router/firewall
[]
> i'd now like to add a list of zones to be 'blackholed' (not sure if
> that's proper usage here ... )
> 
> e.g., a list of adtracker-zones that i simply want to redirect
> A-record queries for to a local web-server's IP.
> 
> following eample/instructions at,
> 
> 	http://mark.foster.cc/wiki/index.php/Trackers
> 
> it's fairly simple to do in bind9.
> 
> BUT, with a *long* list of domains -- e.g. 1500+ in a list I have --
> the required bind9 table space, and corresponding memory footprint,
> grows HUGE.  e.g., from the ~11Mb above to ~70Mb.
> 
> Obviously overkill for this usage.
> 
> So, my question is:
> 
> 	Can this be done via RBLDNSd, instead?
> 
> I don't think (?) that the 'right way' is to add thousands of lines of
> per-domain config to rc.conf's
> 
> 	rbldnsd_enable="YES"
> 	rbldnsd_flags=${rbldnsd_flags:-"\
> 	...
> 	"}
> 
> or, is it?
> 
> Any suggestions?

Well.. it's a good question.  And sadly, I don't know an easy answer to it.

The way the list is used is umm.. non-standard, so to say.  I.e., you want
to blackhole (or redirect, whatever) some real domains, like hitbox.com for
example (assuming it's on the list), -- you want to "steal" those domains
inside your network, so that regular DNS queries will be serviced by the
local nameserver instead of asking regular nameservers authoritative for
the domain in question.

This way, you have to tell *NAMED* (which is your primary resolver) to hand
those domains elsewhere - that's already enough for it to want quite some
amount of memory.  Even if in rbldnsd memory usage will be adequate, BIND
still needs something significant, even so that it's not feaseble anymore
to use rbldnsd for this task.

Proper way here is to integrate a sort of "filter" into BIND, maybe based
on some rbldnsd data structures (which are fairy simple by the way).  But
such a solution doesn't exist - at least to my knowlege.

If it were a sort of "RHSBL" - i.e, instead of stealing unwanted domain
names completely at protocol level, an application (browser, whatever)
will query a real DNS-based block-list - that's direct usage of rbldnsd.
But not for stealing complete domain names like that.

So the short answer is -- this way, you have to either modify NAMED, or
place some DNS proxy in front of it, which will filter queries before
sending them to NAMED.  That is, some sort of tweaking is needed on the
NAMED side or in front of it, not behind it.

By the way, BIND9 has some API for "plug-ins", which can be used to even
integrate rbldnsd into it - and more, someone tried to implement exactly
this.  But again, this feature doesn't help here - one have to define a
list of zones - real zones from BIND's point of view - anyway to steal
(many) domains like this.

Oh well.

/mjt