[rbldnsd] Problem...

Jean-Eudes ONFRAY je.onfray at mediation-telecom.com
Fri Feb 20 13:10:32 MSK 2004 


--- Message d'origine ---
> De : Matthew Sullivan <matthew at sorbs.net>
> À : rbldnsd at corpit.ru
> Sujet : [rbldnsd] Problem...
> Date : ven 20 fév 2004 10:29:35 CET
> 
> Hey all,
> 
> Someone just posted an interesting issue with the SORBS DNSbl....  This 
> probably documented behaviour, but I figured I'd pass it by the list and 
> see if anyone including Michael has any comments...
> 
> 
> We have supplied the zones as just listings until recently when we 
> picked up the Dynablock and started actively maintaining it in the place 
> of Ben.  However the issue that appeared today -
> 
> We have 17740 exceptions listed, and these exceptions are exported into 
> the DUHL where all works fine......except the DUHL zone is aggregated 
> into the main zone, so all the exceptions are also aggregated into the 
> main zone which means anyone excepted from the DUHL is actually excepted 
> from all listings when using the aggregate zone....
> 
> Now I figure I have a few options...
> 
> 1/ Process out all the exceptions and stop using them
> 2/ Process out the exceptions at export time and create an extra zone 
> which is the aggregate zone
> 3/ Talk to this list and Michael about whether the exceptions can be 
> limited to apply to their own zone only.  (Guess where I am ;-))
> 
> Comments/suggestions welcomed.
> 
> Example Data:
> 
> $DATASET ip4set http @
> $SOA    172800  rbldns0.sorbs.net. dns.isux.com. 1077267901 7200 7200 
> 604800 3600
> $NS 48h rbldns0.sorbs.net.
> :127.0.0.2:HTTP Proxy See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=$
> $TTL 172800
> 4.3.216.194
> 4.17.224.68
> 4.21.138.56
> 4.22.136.147
> $DATASET ip4set dul @
> $SOA    172800  rbldns0.sorbs.net. dns.isux.com. 1077267901 7200 7200 
> 604800 3600
> $NS 48h rbldns0.sorbs.net.
> :127.0.0.10:Dynamic IP Address See: 
> http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=$
> $TTL 172800
> 4.2.0.0/15
> 4.10.0.0/15
> 4.12.0.0/14
> !4.3.216.0/24
> !4.3.218.0/24
> 
> .....
> 
> Using the above data you get the following:
> 
> $ host 194.216.3.4.dul.dnsbl.sorbs.net
> Host 194.216.3.4.dul.dnsbl.sorbs.net not found: 3(NXDOMAIN)
> 
> $ host 194.216.3.4.http.dnsbl.sorbs.net
> 194.216.3.4.http.dnsbl.sorbs.net has address 127.0.0.2
>  
> All fine and good... now the problem:
> 
> $ host 194.216.3.4.dnsbl.sorbs.net
> Host 194.216.3.4.dnsbl.sorbs.net not found: 3(NXDOMAIN)
> 
> I expect and don't get (my fault I presume):
> 
> $ host 194.216.3.4.dnsbl.sorbs.net
> 194.216.3.4.dnsbl.sorbs.net has address 127.0.0.2
> 
> Removing the DUHL exception (!4.3.216.0/24) I get:
> 
> $ host 194.216.3.4.dnsbl.sorbs.net
> 194.216.3.4.dnsbl.sorbs.net has address 127.0.0.10
> 194.216.3.4.dnsbl.sorbs.net has address 127.0.0.2
> 
> which is expected.
> 
> Suggestions, comments?
> 
> / Mat
> 
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
> 

Hi,

I think there are 2 ways for doing that.
 1 - Create some kind of prio between ip vs bloks
     You'll have to do this during aggregation
     It may not work in all cases.
 2 - I think it's the best way is not to have any excepted block,
     instead you should split bigger block in smaller to except
     the one you need.

Your sample would become
--BEFORE
4.2.0.0/15
!4.3.216.0/24
!4.3.218.0/24
--AFTER
4.2.0.0/16
4.3.0.0/17
4.3.128.0/18
4.3.192.0/20
4.3.208.0/21
4.3.217.0/24
4.3.219.0/24
4.3.220.0/22
4.3.224.0/19
--

It's a hard job but may be done by a script and will avoid this kind of errors.

Jean-Eudes

More information about the rbldnsd mailing list