Consulting djbware Publications



rbldns answers TXT queries for synthesises DNS name including the reverse IP address concatinated with the $BASE if given in its repository. rbldns is IPv6 enabled and thus allowing queries over IPv4 or IPv6 networks; though only UDP is supported. It is able to encrypt DNS queries and decrypt DNS responses using the DNSCurve format in the 'streamline' as well as in the 'txt' format. rbldns however, does not support DNSSec. rbldns can simultaneously bind to IPv4 and IPv6 network addresses and supports 'reverse IPv6-anycasting'.


System Setup

It is preferrable to install D.J. Bernsteins's daemontools or Bruce Guenter's daemontools-encore. Further alternatives are Gerrit Pape's runit though in principal systemd and any of its derivates or the s6 toolbox to manage Unix services will do.

Given the first two, rbldns-conf can be successfully applied to setup rbldns:

rbldns runs chrooted under a particular user, typically rbldns. while located usually at /etc/rbldns.

The run script for rbldns looks like:

#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec envuidgid rbldns /usr/local/bin/rbldns '

Here, envdir is used to source rbldns's ./env directory and populating the required environment variables.

rbldns logs to STDOUT which shall be managed by multilog with a dedicated systems user and rotation capability.

A run script for multilog can be very generic:

#!/bin/sh exec setuidgid daemon multilog t s1677721 /var/log/rbldns

It should be noted, that rbldns writes condensed log lines without a timestamp while appending this to the current file. Thus, it is advisable to restrict the logfile size.

Service Configuration

rbldns can run in two different security modes:

The main rbldns configuration is provided in the directory ./env. Here one defines in particular files:

Security Note: If you run a public rbldns service in un-encrypted/plain mode, an eavesdropper will be able to collect data for all of your DNS clients and finally you are unclosing which MTA has received a SMTP mail from a destination given its IP with precise timestamp.

Content Configuration

Within rbldns' directory ./root a file data exists which hosts IP addresses or subnets subject for a response line-by-line.

First Step: Adding DNS Txt Records

Include in the file data the following information:

Second Step: Compiling DNS TXT Records

A Makefile exists within that directory to turn data into data.cdb by make applying rbldns-data.
Note: rbldns-data understands plain IP addresses as well as IP addresses in CIDR format.