[rbldnsd] I HATE BIND - please help

Lyle Giese lyle at lcrcomputer.net
Fri Feb 29 18:03:58 MSK 2008 

Chris. wrote:
> On Thu, 28 Feb 2008 17:15:49 -0600, Lyle Giese wrote...
>   
>>>> It works for me ... try changing the -b 75.160.109.247/530 in your
>>>> rbldnsd_flags to 127.0.0.2.  Better yet change it to 0.0.0.0/530 for
>>>> testing.
>>>>
>>>>         
> ---8<---SNIP---8<-----
>   
>>> I'm not sure you understood me when I said rbldnsd wouldn't bind to
>>> the loopback block. Here's some examples of the output:
>>>
>>> -b 127.0.0.2/530
>>> rbldnsd: unable to bind to 127.0.0.2/530: Can't assign requested address
>>>
>>> -b 127.0.0.2
>>> rbldnsd: unable to bind to 127.0.0.2: Can't assign requested address
>>>
>>> -b 127.0.0.3/530
>>> rbldnsd: unable to bind to 127.0.0.3/530: Can't assign requested address
>>>
>>> ... and so on.
>>> Nothing else is bound to those IP's.
>>> So like I said, the only difference between the two is the BIND version -
>>> 9.4 vs. 9.3. Which leads me to believe rbldnsd won't/doesn't
>>> work the same on newer versions of BIND.
>>>
>>> Thanks for taking the time to reply.
>>>
>>> --Chris H
>>>
>>>   
>>>       
>>>> Cheers,
>>>>
>>>>         
>>> ds
>>>       
> ---8<--SNIP--8<---
>   
>>> _______________________________________________
>>> rbldnsd mailing list
>>> rbldnsd at corpit.ru
>>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>>>
>>>       
>
>   
>> I use BIND and rbldnsd on the same server here.  I have BIND bound to
>> 127.0.0.1, 192.168.x.4 and 209.172.152.4.  I have rbldnsd bound to
>> 209.172.152.6.  Why do you need rbldnsd bound to the loopback?  And if
>> BIND is bound to 127.0.0.1, I can understand why rbldnsd would not bind
>> to 127.0.0.x.  I don't remember in this thread if you stated BIND was
>> bound to 127.0.0.1 or not.
>>     
>
> Indeed. 127.0.0.1 is almost always configured, and bound-to in BIND, as
> well as the 127.0.0 block as a zone itself. A difference in the 9.4 version
> of the BIND vs. 9.3 is that it comes with a 127.in-addr.arpa zone. Which
> greatly enlarges the default "loopback" block from it's previous default
> 127.0.0.0/24. So in answer to your question - yes, I have a "loopback"
> zone, and the BIND /is/ using 127.0.0.1 on port 953 (the control zone
> for RNDC). The "loopback" zone I defined is a 127.0.0.0/24 (254 IP's)
> which has always been more than enough for my needs. As a matter of fact
> the only IP strictly defined in it is 1.0.0.127-in-addr.arpa.
> Also, as far as the BIND is concerned; the only reference(s) to the
> RBLDNSD IP's is the "blackhole" zone defined as follows:
> zone "blackhole.nomorespam.COM" {
>       type forward;
>       forward only;
>       forwarders { <internet routable IP> port 530; };
> };
>
> No mention of the loopback block here. The place it's used is in
> RBLDNSD's zone:
>
> blackhole.nomorespam.COM:ip4tset:clients
> :127.0.0.2:REFUSED! Too much abuse from the $ network, goodbye...
> 111.222.333.444
> 555.666.777.888
>  ...
> 999.000.111.222
>
> Note the use of 127.0.0.2 above. I use 127.0.0.3
> in a ip4set also. The command line uses: -b <my internet routable IP>/530
> I only used any of the "loopback" addresses on the command line to test
> for issues with RBLDNSD binding to (using) the IP's I defined in the
> zones (ip4tset || ip4set). I had no trouble on a BIND-9.3 server. This
> all only became a problem on a BIND-9.4 server. I hope this was clearer.
>
> Thank you for taking the time to respond.
>
> --Chris H
>
>   
What you have for information in your zone files is immaterial to what
addresses/ports named or rbldnsd bind to. The reference to 127.0.0.2
above is in reference to the answer(content of the zone files) rbldnsd
will gives back when queried and nothing to do with what address/port
rbldnsd is listening to. The term 'bind' as a verb references the
ablility of a process to attach itself to an ip address/port
combination. I think part of the problem here is the terminology used
here. You may be stating your question in a manner that is confusing as
to what your issue is.

When you use the -b command line parameter, that binds rbldnsd to an ip
address/port comination and has nothing to do with the data it answers
for(contents of it's zone files). For my inhouse use, I have a zone
defined as rbl.lcrcomputer.com and put an ns record in BIND/named's zone
files. So my queries for my blacklist would be of the form:

dig 2.0.0.127.rbl.lcrcomputer.com

or to ask about 209.172.152.2

dig 2.152.172.209.rbl.lcrcomputer.com

and in my lcrcomputer.com zone file in Bind/named, I have:

rbl.lcrcomputer.com. in ns ns1.lcrcomputer.net

And in my lcrcomputer.net zone:

ns1.lcrcomputer.net in a 209.172.152.4

And no it's not accessable via the Internet, it's an internal only service.

If 209.172.152.2 is listed in my rbl zone, rbldnsd gives back the answer
in the form of a A record giving 127.0.0.1(or .2 for your zone). If that
ip is not listed in your rbl zone, rbldnsd gives back a not found answer.

Lyle


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.corpit.ru/pipermail/rbldnsd/attachments/20080229/62a47ddb/attachment.html

More information about the rbldnsd mailing list