[rbldnsd] I HATE BIND - please help
Chris.
cth at fastmail.ca
Tue Mar 4 14:43:36 MSK 2008
On Tue, 04 Mar 2008 22:56:19 +1300, Amos Jeffries wrote...
> Chris. wrote:
>> On Mon, 3 Mar 2008 14:25:14 +0000 (UTC), Chris. wrote...
>>
>>> On Sun, 02 Mar 2008 23:50:21 +0300, Michael Tokarev wrote...
>>>
>>>> Chris. wrote:
>>>> []
>>>>> FWIW both the working, and non-working installs were on BSD/OS
>>>>> (FreeBSD).
>>>> Ok.
>>>>
>>>>> FWIW both installs declared only localhost at 127.0.0.1 in their
>>>>> hosts file.
>>>> Irrelevant -- DNS internally works by using IP addresses only,
>>>> never looking into hosts file.
>>>>
>>>>> FWIW both installs used only 1 (one) Internet Routable IP address
>>>>> on the RBLDNS commandline.
>>>> Irrelevant - 1, 10, 100 - makes no difference.
>>>>
>>>>> FWIW nospammers.COM, and nospammers.NET each have a different, and
>>>>> valid internet routable addresses. Both names are fictitious in
>>>>> this dialog, as I'm not ready to announce them until I have a
>>>>> working, and stable RBLDNSD install. I hope that's understandable.
>>>>> :)
>>>> By the way, you can have as many IP addresses for a domain [name]
>>>> as you wish, including 0. The opposite is true as well - as many
>>>> domain names can live on a single IP address as necessary.
>>> Understood. I currently host ~25 domains on one of my servers. I
>>> only mentioned it, should it make a difference to RBLDNSD.
>>>
>>>>> FWIW other than the FQDN, and IP addresses, the only difference
>>>>> between the 2 installs is the version of BSD, and the version of
>>>>> the BIND.
>>>> So this brings up my first question - the inability to bind to
>>>> loopback other than 127.0.0.1. I'm not an expert in FreeBSD, so
>>>> it's not my game. Maybe it's version dependent, maybe some local
>>>> settings or compile-time flag - I've no idea. The thing is that
>>>> one of your systems allows to bind to any 127.x.x.x address freely,
>>>> while another does not.
>>>>
>>>> Note it's not rbldnsd who refuses to bind to 127.0.0.3 etc, it's
>>>> the Operating System who does not permit it to do so.
>>>>
>>>> If you don't believe me, try the following perl program:
>>>>
>>>> --------- cut -------------
>>>> #! /usr/bin/perl -W
>>>> use Socket;
>>>> socket(H, PF_INET, SOCK_DGRAM, 0) or die "socket: $!";
>>>> my $sin = sockaddr_in(1053, inet_aton($ARGV[0] || "127.0.0.3"));
>>>> bind(H, $sin) or die "bind: $!";
>>>> print "success!\n";
>>>> --------- cut -------------
>>>>
>>>> run it on your "working" machine (which allows to bind to
>>>> non-127.0.0.1 addresses) and on your "non-working" machine. Try
>>>> without starting bind and/or rbldnsd or anything else (except
>>>> network, obviously) - it does not matter which version of bind
>>>> you're running.
>>>>
>>> I ran this on several of my servers. In /all/ cases, the script
>>> returned:
>>>
>>> bind: Can't assign requested address at ./run-me.pl line 5.
>>>
>>> I also modified it to use 127.0.0.2
>>>
>>> it returned: bind: Can't assign requested address at ./run-me.pl
>>> line 5.
>>>
>>> modifying it to 127.0.0.1 returned:
>>>
>>> Success!
>>>
>>> All attempts also included the server that successfully ran RBLDNSD.
>>>
>>>> Yet again: this issue (rbldnsd is unable to bind to 127.0.0.3 etc)
>>>> is a completely separate issue, unrelated to any other. You
>>>> already worked around it(*) by using your PRIP instead of loopback
>>>> range.
>>> OK
>>>
>>>>> FWIW I realize that the thread has obscured my original post which
>>>>> included my detailed (and working) config/setup. If you wish me to
>>>>> repeat it, I would be more than happy to reproduce it here. Also,
>>>>> if there is anything else required/desired to assist you, please
>>>>> let me know, as I will be happy to oblige. ;)
>>>> I just re-read your original message. And to be fair, I don't see
>>>> a question in it which I can answer... You describe your working
>>>> setup in full details, next you describe some other setup you want
>>>> to achieve (which is different from your current setup, but by very
>>>> small details), and next you ask if someone has a recipe... But
>>>> you already gave a recipe in your working setup, which needs only
>>>> few changes to adopt.
>>> I'm listening. :)
>>>
>>>>> FWIW I'm confident that this is a resolvable problem. As such, I
>>>>> have begun creating
>>>> They all definitely ARE solvable problems. Let's start hunting
>>>> them one-by-one.
>>> That is always the most efficient diagnoses. :)
>>>
>>>>> a web interface to the RBLDNSD lists which can be manipulated from
>>>>> a web browser, and stored in a DB. Hope this helps.
>>>> Heh. Maybe - I for one hate web interfaces ;)
>>> Then you may be encouraged to know that I /only/ made the "web"
>>> portion in an effort to permit requests to become whitelisted, and
>>> to allow mail users to manipulate their own lists. The whole thing
>>> has been incarnated from the scripts I've already created, and have
>>> already been using to manipulate (manage) the lists from my terminal
>>> (console), or cron. Point being; the web part isn't required to
>>> accomplish everything it provides. The web part was only an "after
>>> effect".
>>>
>>>>> OH. One more thing. It might be worth noting that there is a bug
>>>>> in the 9.4 BIND related to name resolution (gethostbyname as I
>>>>> recall). This may be the difference, which may require some sort
>>>>> of kludge to work around - see; may be the trouble.
>>>> bind does not use gethostbyname() library routine.
>>> I only remember that there was a bug (freebsd related) regarding
>>> gethostbyname(), in the way bind used/required it. Unfortunately
>>> isc is /very/ secretive about their bugs, and I can't seem to find
>>> it right now.
>>>
>>>> Regardless, it's not the bug to worry about in our case.
>>> Good to know.
>>>
>>>>> Thank you again for taking the time to respond. Please do not
>>>>> trouble yourself until you are feeling better. I will be more than
>>>>> happy to wait until then. :)
>>>> Yes I'm *much* better now. When I wrote first reply to you, I had
>>>> temp of 38.4C - it was a flu (grippe as we call it here). Now I'm
>>>> back to normal again.
>>> Glad to hear it. Congratulations. :)
>>>
>>>> Ok, back to our horses/sheeps/whatever.
>>>>
>>>> From this thread I gavered the following your problems so far:
>>>>
>>>> 1) bind to loopback but non-127.0.0.1 address. See above. It's
>>>> your job to find what's going on here, or ask on freebsd list(s) -
>>>> again, you know better than me here.
>>> 127.0.0.1 OK, > 127.0.0.1 !OK
>>>
>>>> 2)
>>>> Duplicating my previous /working/ setup on the new server, /ALWAYS/
>>>> 1204196045 <internet IP here>
>>>> 165.193.171.124.blackhole.nospammers.NET A IN: REFUSED/0/61
>>>>
>>>> this means (provided you don't have any fancy stuff like acl
>>>> enabled in rbldnsd) that it knows nothing about
>>>> blackhole.nospammers.NET zone. and as such it just refuses to
>>>> answer you. Show the command line and actual domain name, or just
>>>> check they match your expectations. For example:
>>>>
>>>> rbldnsd ... f00.com:ip4set:data
>>>>
>>>> and query it as
>>>>
>>>> dig 1.2.3.4.foo.com ...
>>>>
>>>> it will return REFUSED, see why already? :)
>>>>
>>>> So, configure your system to allow binding to 127.0.0.2etc, bind
>>>> rbldnsd somewhere there TO PORT 53 (standard DNS port), and use dig
>>>> (or whatever) to query rbldnsd directly first. Only after do the
>>>> next step and debug it all correctly. By the way, you can try
>>>> dnsget utility from http://www.corpit.ru/mjt/udns.html -- it
>>>> matches `host' utility from BIND and allows to specify port too
>>>> (maybe dig has 'port' option as well? I don't remember).
>>> Both nslookup, and bind allow port selection on queries.
>>> nslookup -port=65536, for example.
>>>
>>>> 3) problem spotted by furio ercolessi (well spotted!) --
>>>>
>>>>>> # dig @my.internet.routable.IP 2.0.0.127.blackhole.nospammers.NET
>>>>>> or:
>>>>>> # dig @my.internet.routable.IP 3.0.0.127.blackhole.nospammers.NET
>>>> ...
>>>>>> The RBLDNSD logs all return:
>>>>>> 1204196617 111.222.333.444
>>>>>> 999.888.777.666.blackhole.nospammers.COM A IN: REFUSED/0/61
>>>> this *smells* like that f00.com vs foo.com above!
>>>>
>>>>
>>>> The rest. Well.
>>>>
>>>> You're making.. strange conclusions. Seriously. Just this
>>>> sequence:
>>>>
>>>> "..no matter how I query... rbldnsd writes "REFUSED" into log..
>>>> it's probably due to the fact that it refuses to bind to
>>>> 127.0.0.2.. Only bind is different on the 2 machines, from which I
>>>> conclude that rbldnsd is incompatible with some later version of
>>>> bind".
>>>>
>>>> It's a set of 3 completely unrelated issues. Yet you managed to
>>>> glue them all together and make it so one is due to another.
>>>> It's.. fantastic!
>>> Thanks. :) Message received.
>>>
>>>> I don't want to offend you, not at all. This is really interesting
>>>> - I recall some very good politics, usually "big" politics, are
>>>> able to do such things. (Remember that today was President
>>>> Elections day here in Russia ;)
>>> LOL
>>>
>>>>
>>>> Oh-oh. This reply was much longer than previous - it is even
>>>> longer than your original message! ;)
>>> LOL Sorry, I was attempting to be concise. Hope that was OK.
>>>
>>>> Something like that, anyway... ;)
>>> Thank you /very/ much for taking the time to make such a cohesive
>>> and sensible reply out of such a garbled thread - /amazing/, truly!
>>>
>>> I'm still leaning on differences in the BIND from the one version
>>> on the /working/ server vs. the version on the /non/ working server.
>>> So I'll experiment some more, now armed with the knowledge you've
>>> provided here, and I'll report back shortly.
>>>
>>> Thank you again!
>>>
>>> --Chris H
>>
>> OK I spent the entire day /carefully/ going over both the server that
>> rbldnsd worked on, and the one it doesn't. I couldn't find /any/
>> configs that were different in a way that would affect the loopback
>> block - 127.0.0.1/8, for example. So, I hit the news group asking if
>> there was a difference between the two versions of FBSD that affected
>> the way it handles the loopback (also known as lo0). Everyone
>> answered that there was no difference that they were aware of. So I
>> altered the default rc for bootstrapping lo0, by adding a
>> 255.255.255.0 netmask. Then restarting the network without the BIND.
>> After the network restarted, I then started RBLDNSD with the
>> followingcommand: rbldnsd -u rbldns:rbldns -v -v -p
>> /var/run/rbldnsd.pid -f \ -c 1m -l rbldnsd.log -r
>> /usr/local/etc/rbldnsd \ -b 11.222.333.444/530
>> blackhole.nospammers.COM:ip4tset:clients
>>
>> Sorry, I'm not /quite/ ready to share the IP/domain name yet.
>> But really, it shouldn't really matter what numbers/domain.tld
>> I use in this example. The IP resolves very well accross the
>> internet. As does the domain.
>>
>> Anyway, back to the scenario... RBLDNSD emits the following
>> during startup:
>> rbldnsd: listening on 11.222.333.444/530
>> rbldnsd: ip4tset:clients: 20080303 235127: cnt=39416
>> rbldnsd: zones reloaded, time 0.2e/0.2u sec
>> rbldnsd: rbldnsd version 0.996a (27 Jul 2006) started (1 socket(s), 1
>> zone(s))
>>
>> Then I started the BIND.
>>
>> Performing dig -p530 @nospammers.COM \
>> 10.111.234.65.blackhole.nospammers.COM -t txt
>> emits:
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1673
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>
> Aha, that is different from _logging_ REFUSED.
> IIRC dig uses TCP for its DNS requests. Try forcing a UDP request to
> rbldnsd ( dig +udp -p530 ... ) and see if it says the same thing.
>
Hello, and thank you for your reply.
I tried as you suggested. But the DIG replied:
Invalid option: +udp
Thanks again.
--Chris H
>>
>> Whoo Hoo! no more NXDOMAIN. BUT, of course even when I query against
>> an address that /is/ in the clients zone file, I still receive
>> REFUSED. Oh well, at least RBLDNSD has 127.0.0.2 now. Reloading both
>> RBLDNSD, and the BIND provided no difference.
>>
>> Sigh. I'm tired, and all out of thoughts. Any insight /greatly/
>> appreciated.
>>
>> Thank you for all your time and consideration.
>>
>> --Chris H
>>
>>>> /mjt
>>>> _______________________________________________
>>>> rbldnsd mailing list
>>>> rbldnsd at corpit.ru
>>>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>>> _________________________________________________________________
>>> http://fastmail.ca/ - Fast Secure Web Email for Canadians
>>>
>>> _______________________________________________
>>> rbldnsd mailing list
>>> rbldnsd at corpit.ru
>>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>> _________________________________________________________________
>> http://fastmail.ca/ - Fast Secure Web Email for Canadians
>>
>> _______________________________________________
>> rbldnsd mailing list
>> rbldnsd at corpit.ru
>> http://www.corpit.ru/mailman/listinfo/rbldnsd
>
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
_________________________________________________________________
http://fastmail.ca/ - Fast Secure Web Email for Canadians
More information about the rbldnsd
mailing list