[rbldnsd] managing 'thousands' of zones in RBLDNSd rather than Bind9?
Wayne Sherman
wsherman at gmail.com
Wed Aug 29 05:13:19 MSD 2007
snowcrash+rbldnsd wrote:
> hi wayne,
>
>> It can be done using bind and a patched version of rbldnsd. Some info here:
>>
>> http://www.corpit.ru/pipermail/rbldnsd/2007q1/thread.html
>> See the thread "[rbldnsd] Using rbldnsd to blacklist websites"
>
> i just skimmed the thread ... got the gist of it.
>
> not clear about the order of queries/forwards (seemed rbldnsd was both
> before & after bind9 ... gotte re-read).
If I remember correctly, bind is set to "forward first" to rbldnsd. If
the domain is blacklisted, rbldnsd returns a specific address or
optionally NXDOMAIN. If the domain is not blacklisted, rbldnsd returns
REFUSE and bind goes out to look up the domain on its own. After the
first query of a blacklisted domain, bind holds the answer in cache
(e.g. 127.0.0.2 or NXDOMAIN) and doesn't need to requery rbldnsd for
repeat lookups. Likewise a non-blacklisted domain is cached and is not
forwarded again for rbldnsd to check it, but bind serves it directly
from cache. You can think of rbldnsd as a sort of bind cache populator
for blacklisted domains.
> you're not using dnsmasq for RBL service for mail, too, though -- are you?
No, I use it on my LAN as the main DNS server. In my usage, one
instance of dnsmasq accomplishes these things:
1) authoritative server for static hosts in my internal domain
2) caching server for external domains
(it is not a resolving server, so first time lookups are forwarded to
our ISP's DNS)
3) authoritatively serving blocked domains as 0.0.0.0 from a hosts file
4) dhcp server
(dynamic host names are automatically served authoritatively from dns)
dnsmasq lets me use separate hosts files for different purposes. So I
compiled a "hosts_blacklist" file from these:
http://www.hosts-file.net/
http://www.mvps.org/winhelp2002/hosts.htm
Wayne
More information about the rbldnsd
mailing list