[rbldnsd] how to make public (DNS)RBL?

Jon Lewis jlewis at lewis.org
Fri May 15 17:32:01 MSD 2009 

On Fri, 15 May 2009, Chris. wrote:

> I answered that (to some degree) in your last posting.

Not really.  You've managed to avoid revealing any of the details as to 
why your RBL could be the FUSSP other than that it lists around 1B IPs 
that are sources of spam and adds them very quickly.

> Now, I'd like to simply use one internet routable IP, and let the .COM
> use/manage it. So now, as I haven't utilized my anti-spam system in quite
> this environment. I was hoping to get some suggestions for what might be
> the most resilient use of IP space under this environment. Does this
> make any sense? I hope my question is understandable. I'm just a bit
> leary "going live" with an environment I haven't already tested. So
> was hoping to get some suggestions before doing so. :)

It sounds like you're saying you run one public DNS server (authoratative 
DNS, I assume) and want that process to handle both regular DNS requests 
and RBL DNS requests using communications with a private rbldnsd to answer 
the RBL DNS queries.  While that certainly can be done, I'd strongly 
recommend against it if you go public.

For your own private use, such a setup may work, but if you make the RBL 
public and its half as good as you say, you'll likely see thousands of RBL 
queries per second.  When word gets out about how well your list works 
(taking for granted that it's as good as you say), you're going to be 
seeing tens of thousands of queries per second.  Can your single server 
answer 50k queries per second?  Do you have the bandwidth (tens of 
megabits/s) to receive and respond to those queries?

Any public DNSBL of any size uses a bunch of distinct DNS servers, both to 
spread the load and for redundancy.  What happens when your server goes 
offline (network outage, power failure, kernel upgrade)?  If there are a 
dozen different DNS servers for the RBL, nobody notices one going down. 
If there's just one, mail slows down as DNS queries timeout, and you'll 
likely generate a "DDoS" against yourself as queries that go unanswered 
get retried, multiplying your normal DNS query traffic.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the rbldnsd mailing list