[rbldnsd] Use rbldnsd behind bind9

Tue Apr 13 16:37:37 MSD 2010

meepmeep @ Fantasya.org wrote:
> Hi
>
> As an IRC Network administrator, I'm using rbldnsd to create my own 
> black list of private botnet.
> It works great locally, everything is fine. But, with the time, 
> private botnet goes over other IRC Network, and we thought that it 
> would be a great idea to share our dnsbl.
>
> Currently and locally, I request my bind server (listen on 127.0.0.1 
> and x.x.x.226, both on port 53), and it transfer the request to 
> rbldnsd (listen to public ip : x.x.x.229, port 53).
> I could ask bind or rbldnsd, it works while I'm still on my server.
>
> Now, I tried to use this rbldnsd from "outside", and I have a problem ...
> I add 2 entries in my DNS configuration:
>
> testbl.mydomain.com <http://testbl.mydomain.com> IN NS x.x.x.229 
> (direct access to rbldnsd)
> testbl1.mydomaine.com <http://testbl1.mydomaine.com> IN NS x.x.x.226 
> (direct access to bind)
>
> I add this on my bind configuration :
> zone "testbl1.mydomain.com <http://testbl1.mydomain.com>" IN {
>         type forward;
>         forward first;
>         forwarders {
>                 x.x.x.229 port 53;
>         };
>
>
> (in every case, bind should transfer the request to rbldnsd on x.x.x.229)
>
> My ip4set on rbldnsd start like this :
> $SOA 0 noc.mydomain.com <http://noc.mydomain.com> noc.mydomain.com 
> <http://noc.mydomain.com> 2010071801 15 1m 4w 15
> $NS 0 noc.mydomain.com <http://noc.mydomain.com>
> $TTL 10s
> :127.0.0.2:IP $ is listed as corrupt
> 1.1.1.1 :4:prout
> etc.
>
> And rbldnsd is launch like this : 
> /usr/sbin/rbldnsd -p /var/run/rbldnsd.pid -r /var/lib/rbldns -w . -v 
> -f -b x.x.x.229/53 -t 30 -l rbldns.log -s rbldns.stats 
> dnsbl.irc:ip4set:openhost dnsbl.myircnetwork.ext:ip4set:openhost 
>  testbl.mydomain.com:ip4set:openhost testbl1.mydomain.com:ip4set:openhost
>
> And last point (which is for me the source of the problem): 
> In bind configuration :
>       
>      recursion yes;
>      allow-recursion { any; };
>      allow-query { any; };
>      allow-query-cache { any; };
>      allow-transfer { any; };
>
> So, know .. what is happening :
> From an external source, I could request to testbl.mydomain.com 
> <http://testbl.mydomain.com> (the one that ask rbldnsd directly), and 
> it works. It mean that rbldnsd manage the zone without any problem: 
> $>host 1.1.1.1.testbl.mydomain.com <http://1.1.1.1.testbl.mydomain.com>
> 1.1.1.1.testbl.mydomain.com <http://1.1.1.1.testbl.mydomain.com> has 
> address 127.0.0.4
>
>
> BUT, if I try to request 
> $>host 1.1.1.1.testbl1.mydomain.com <http://1.1.1.1.testbl1.mydomain.com>
> ;; connection timed out; no servers could be reached
>
> bind's log (daemon.log), doesn't show any error/reject answer...
>
> Here I'm stuck .. Why does BIND doesn't tranfer the request ? How 
> could I check that bind is the one that failed the request ? Why bind 
> does the job locally and not remotely ?
>
> I know this isn't related to rbldnsd directly (it seems obvious that 
> bind is the source of the problem), but I think it's the best place to 
> get my answer :)
>
> --
> Nicolas G. / meepmeep
> [EuropNet.org Admin]
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
>   
If your client is asking x.x.x.226, it expects an answer from x.x.x.226 
and won't accept an answer from x.x.x.229 as the client did ask 
x.x.x.229 a question.  I don' t think you need the forward in this 
case.  You just need to make sure BIND will do recursive queries from 
the outside(dangerous).

Lyle Giese
LCR Computer Services, inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.corpit.ru/pipermail/rbldnsd/attachments/20100413/7c650788/attachment.html>