[rbldnsd] I HATE BIND - please help

Chris. cth at fastmail.ca
Mon Mar 3 17:25:14 MSK 2008 

On Sun, 02 Mar 2008 23:50:21 +0300, Michael Tokarev wrote...

> Chris. wrote:
> []
>> FWIW both the working, and non-working installs were on BSD/OS
>> (FreeBSD).
> 
> Ok.
> 
>> FWIW both installs declared only localhost at 127.0.0.1 in their hosts
>> file.
> Irrelevant -- DNS internally works by using IP addresses only,
> never looking into hosts file.
> 
>> FWIW both installs used only 1 (one) Internet Routable IP address on
>> the RBLDNS commandline.
> Irrelevant - 1, 10, 100 - makes no difference.
> 
>> FWIW nospammers.COM, and nospammers.NET each have a different, and
>> valid internet routable addresses. Both names are fictitious in this
>> dialog, as I'm not ready to announce them until I have a working, and
>> stable RBLDNSD install. I hope that's understandable. :)
> 
> By the way, you can have as many IP addresses for a domain [name] as
> you wish, including 0.  The opposite is true as well - as many domain
> names can live on a single IP address as necessary.

Understood. I currently host ~25 domains on one of my servers. I only
mentioned it, should it make a difference to RBLDNSD.

> 
>> FWIW other than the FQDN, and IP addresses, the only difference
>> between the 2 installs is the version of BSD, and the version of the
>> BIND.
> 
> So this brings up my first question - the inability to bind to
> loopback other than 127.0.0.1.  I'm not an expert in FreeBSD, so it's
> not my game. Maybe it's version dependent, maybe some local settings
> or compile-time flag - I've no idea.  The thing is that one of your
> systems allows to bind to any 127.x.x.x address freely, while another
> does not.
> 
> Note it's not rbldnsd who refuses to bind to 127.0.0.3 etc, it's the
> Operating System who does not permit it to do so.
> 
> If you don't believe me, try the following perl program:
> 
> --------- cut -------------
> #! /usr/bin/perl -W
> use Socket;
> socket(H, PF_INET, SOCK_DGRAM, 0) or die "socket: $!";
> my $sin = sockaddr_in(1053, inet_aton($ARGV[0] || "127.0.0.3"));
> bind(H, $sin) or die "bind: $!";
> print "success!\n";
> --------- cut -------------
> 
> run it on your "working" machine (which allows to bind to
> non-127.0.0.1 addresses) and on your "non-working" machine.  Try
> without starting bind and/or rbldnsd or anything else (except network,
> obviously) - it does not matter which version of bind you're running.
> 

I ran this on several of my servers. In /all/ cases, the script returned:

bind: Can't assign requested address at ./run-me.pl line 5.

I also modified it to use 127.0.0.2

it returned: bind: Can't assign requested address at ./run-me.pl line 5.

modifying it to 127.0.0.1 returned:

Success!

All attempts also included the server that successfully ran RBLDNSD.

> Yet again: this issue (rbldnsd is unable to bind to 127.0.0.3 etc)
> is a completely separate issue, unrelated to any other.  You already
> worked around it(*) by using your PRIP instead of loopback range.

OK

> 
>> FWIW I realize that the thread has obscured my original post which
>> included my detailed (and working) config/setup. If you wish me to
>> repeat it, I would be more than happy to reproduce it here. Also, if
>> there is anything else required/desired to assist you, please let me
>> know, as I will be happy to oblige. ;)
> 
> I just re-read your original message.  And to be fair, I don't see a
> question in it which I can answer...  You describe your working setup
> in full details, next you describe some other setup you want to
> achieve (which is different from your current setup, but by very small
> details), and next you ask if someone has a recipe...  But you already
> gave a recipe in your working setup, which needs only few changes to
> adopt.

I'm listening. :)

> 
>> FWIW I'm confident that this is a resolvable problem. As such, I have
>> begun creating
> 
> They all definitely ARE solvable problems.  Let's start hunting them
> one-by-one.

That is always the most efficient diagnoses. :)

> 
>> a web interface to the RBLDNSD lists which can be manipulated from a
>> web browser, and stored in a DB. Hope this helps.
> 
> Heh.  Maybe - I for one hate web interfaces ;)

Then you may be encouraged to know that I /only/ made the "web" portion
in an effort to permit requests to become whitelisted, and to allow
mail users to manipulate their own lists. The whole thing has been incarnated
from the scripts I've already created, and have already been using to
manipulate (manage) the lists from my terminal (console), or cron.
Point being; the web part isn't required to accomplish everything it
provides. The web part was only an "after effect".

> 
>> OH. One more thing. It might be worth noting that there is a bug in
>> the 9.4 BIND related to name resolution (gethostbyname as I recall).
>> This may be the difference, which may require some sort of kludge to
>> work around - see; may be the trouble.
> 
> bind does not use gethostbyname() library routine.

I only remember that there was a bug (freebsd related) regarding
gethostbyname(), in the way bind used/required it. Unfortunately
isc is /very/ secretive about their bugs, and I can't seem to find
it right now.

> Regardless, it's not the bug to worry about in our case.

Good to know.

> 
>> Thank you again for taking the time to respond. Please do not trouble
>> yourself until you are feeling better. I will be more than happy to
>> wait until then. :)
> 
> Yes I'm *much* better now.  When I wrote first reply to you, I had
> temp of 38.4C - it was a flu (grippe as we call it here).  Now I'm
> back to normal again.

Glad to hear it. Congratulations. :)

> 
> Ok, back to our horses/sheeps/whatever.
> 
> From this thread I gavered the following your problems so far:
> 
> 1) bind to loopback but non-127.0.0.1 address.  See above.  It's your
> job to find what's going on here, or ask on freebsd list(s) - again,
> you know better than me here.

127.0.0.1 OK, > 127.0.0.1 !OK

> 
> 2)
> Duplicating my previous /working/ setup on the new server, /ALWAYS/
> 1204196045 <internet IP here> 165.193.171.124.blackhole.nospammers.NET
> A IN: REFUSED/0/61
> 
> this means (provided you don't have any fancy stuff like acl enabled
> in rbldnsd) that it knows nothing about blackhole.nospammers.NET zone.
> and as such it just refuses to answer you.  Show the command line and
> actual domain name, or just check they match your expectations.  For
> example:
> 
> rbldnsd ... f00.com:ip4set:data
> 
> and query it as
> 
> dig 1.2.3.4.foo.com ...
> 
> it will return REFUSED, see why already? :)
> 
> So, configure your system to allow binding to 127.0.0.2etc, bind
> rbldnsd somewhere there TO PORT 53 (standard DNS port), and use dig
> (or whatever) to query rbldnsd directly first.  Only after do the
> next step and debug it all correctly.  By the way, you can try
> dnsget utility from http://www.corpit.ru/mjt/udns.html -- it matches
> `host' utility from BIND and allows to specify port too (maybe dig
> has 'port' option as well? I don't remember).

Both nslookup, and bind allow port selection on queries.
nslookup -port=65536, for example.

> 
> 3) problem spotted by furio ercolessi (well spotted!) --
> 
>>> # dig @my.internet.routable.IP 2.0.0.127.blackhole.nospammers.NET
>>> or:
>>> # dig @my.internet.routable.IP 3.0.0.127.blackhole.nospammers.NET
> ...
>>> The RBLDNSD logs all return:
>>> 1204196617 111.222.333.444 999.888.777.666.blackhole.nospammers.COM
>>> A IN: REFUSED/0/61
> 
> this *smells* like that f00.com vs foo.com above!
> 
> 
> The rest.  Well.
> 
> You're making.. strange conclusions.  Seriously.  Just this sequence:
> 
> "..no matter how I query... rbldnsd writes "REFUSED" into log.. it's
> probably due to the fact that it refuses to bind to 127.0.0.2.. Only
> bind is different on the 2 machines, from which I conclude that
> rbldnsd is incompatible with some later version of bind".
> 
> It's a set of 3 completely unrelated issues.  Yet you managed to glue
> them all together and make it so one is due to another.  It's..
> fantastic!

Thanks. :) Message received.

> 
> I don't want to offend you, not at all.  This is really interesting -
> I recall some very good politics, usually "big" politics, are able to
> do such things.  (Remember that today was President Elections day here
> in Russia ;)

LOL

> 
> 
> Oh-oh.  This reply was much longer than previous - it is even
> longer than your original message! ;)

LOL Sorry, I was attempting to be concise. Hope that was OK.

> 
> Something like that, anyway... ;)

Thank you /very/ much for taking the time to make such a cohesive
and sensible reply out of such a garbled thread - /amazing/, truly!

I'm still leaning on differences in the BIND from the one version
on the /working/ server vs. the version on the /non/ working server.
So I'll experiment some more, now armed with the knowledge you've
provided here, and I'll report back shortly.

Thank you again!

--Chris H

> 
> /mjt
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
_________________________________________________________________
    http://fastmail.ca/ - Fast Secure Web Email for Canadians

More information about the rbldnsd mailing list