njabl.org

The njabl.org DNSBL zone data is currently available for rsync from rsync.njabl.org as a collection of rbldnsd format files. To have your IP added to the rsync ACL, send an email requesting access for your IP to help at mail.njabl.org. Please mention rsync in the subject of your message. Please also mention what network/organization you're requesting access on behalf of, and what your intended use of the data is. To reduce load on the public rsync server and save bandwidth, if you plan to use the data on multiple systems, choose one to be your local rsync master, sync from rsync.njabl.org on that single server, and then sync the rest of your servers from your local rsync master.

You probably won't get a response, but if your request looks reasonable (i.e. don't ask for rsync access for an entire /16) rsync access will generally be setup within 24-72 hours but at times may take considerably longer. Please be patient.

Tips for running your own local rbldnsd based dnsbl.njabl.org zone:

If you haven't already done so, subscribe to list@njabl.org by sending an email to list-subscribe@njabl.org. This is a moderated announcement list. It is imperative that you receive any announcements such as planned changes to the rsync directory structure, zone data file layout, etc.
Choose a system to run rbldnsd on. This could be a dedicated system or one of your existing DNS servers (or even your mail server that runs a caching DNS server). You can run rbldnsd and bind together on the same system. Since I think this is the most likely scenario, I'll document it here.
Create a user for rbldnsd to run as and a directory for the zone files rbldnsd will use. Here we'll use username dnsbl with a data directory of /var/dnsbl/njabl.
Download/build/install the latest version of rbldnsd. Check the Makefile before running make to see if you need to change anything in order to properly build it on your OS.
Create a script that can be run from cron to periodically rsync the data files. i.e.
```
$ cat /usr/local/bin/njablrsync
#!/bin/sh
 
rsync -vaL rsync.njabl.org::njabl/rbldnsd/ /var/dnsbl/njabl/
```
You'll want to run this script no more than every 20 minutes, preferably just a couple times a day at most. I used to recommend at least once per hour, but due to load on the rsync server, every couple hours is probably more reasonable. Since the files are updated every 20 minutes, rsyncing more frequently than every 20 minutes is only going to waste resources and probably get your rsync access revoked. Also be sure to use either -a or -t if you don't use exactly the options above.

Setup rbldnsd to run from bootup. If your system uses SysVinit style startup scripts, create an init script for rbldnsd, or use the one that comes with rbldnsd in the debian directory of the source. I prefer this simpler init script ripped off from Red Hat's gpm init script.

#!/bin/bash
#
# chkconfig: 2345 85 15
# description: rbldnsd is a DNS server designed for dnsbls.  
# processname: rbldnsd
# pidfile: /var/run/rbldnsd.pid

# source function library
. /etc/init.d/functions

[ -e /etc/sysconfig/rbldnsd ] && . /etc/sysconfig/rbldnsd 

RETVAL=0

start() {
        echo -n $"Starting rbldnsd service: "
        daemon /usr/local/sbin/rbldnsd $OPTIONS

        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rbldnsd
}

stop() {
        echo -n $"Shutting down rbldnsd service: "
        killproc rbldnsd
        RETVAL=$?

        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rbldnsd
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart|reload)
        stop
        start
        RETVAL=$?
        ;;
  condrestart)
        if [ -f /var/lock/subsys/rbldnsd ]; then
            stop
            start
            RETVAL=$?
        fi
        ;;
  status)
        status rbldnsd
        RETVAL=$?
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status}"
        exit 1
esac

exit $RETVAL

If you use this script, setup /etc/sysconfig/rbldnsd with options such as:

OPTIONS="-u dnsbl -r /var/dnsbl/njabl -t 21600 -c 60 \
          -l querylog -p /var/run/rbldnsd.pid -b 127.0.0.1/530 \
          dnsbl.njabl.org:ip4set:dnsbl.njabl.org.auto \
          dnsbl.njabl.org:generic:dnsbl.njabl.org.generic \
          dnsbl.njabl.org:ip4set:dnsbl.njabl.org.data \
          combined.njabl.org:ip4set:dnsbl.njabl.org.auto \
          combined.njabl.org:generic:dnsbl.njabl.org.generic \
          combined.njabl.org:ip4set:dnsbl.njabl.org.data \
          combined.njabl.org:ip4set:rbldns.dynablock.easynet.nl \
        "

If you use the rbldnsd.init script that comes with rbldnsd, you should have either /etc/default/rbldnsd or /etc/sysconfig/rbldnsd that looks kind of like:

RBLDNSD="njabl -udnsbl -r/var/dnsbl/njabl -t21600 -c60 \
          -lquerylog -b127.0.0.1/530 \
          dnsbl.njabl.org:ip4set:dnsbl.njabl.org.auto \
          dnsbl.njabl.org:generic:dnsbl.njabl.org.generic \
          dnsbl.njabl.org:ip4set:dnsbl.njabl.org.data \
          combined.njabl.org:ip4set:dnsbl.njabl.org.auto \
          combined.njabl.org:generic:dnsbl.njabl.org.generic \
          combined.njabl.org:ip4set:dnsbl.njabl.org.data \
          combined.njabl.org:ip4set:rbldns.dynablock.easynet.nl \
        "

With this setup, /var/dnsbl/njabl/querylog will be a log of all queries handled by rbldnsd. If you have no need for this log, remove the option. For debugging purposes, while testing your setup, you may want to make it -l +querylog to turn off log write buffering. The -b 127.0.0.1/530 tells rbldnsd to listen on the IP address 127.0.0.1, UDP port 530. This is so you can run rbldnsd on the same system/IP as an existing DNS server (bind in this example). If you're setting up rbldnsd to answer queries for other systems on your network, replace 127.0.0.1/530 with your server's IP address and rbldnsd will run on port 53 as a DNS server normally would. The -b option has become mandatory in recent rbldnsd versions. In the past, rbldnsd would listen on all addresses and the port was set with the -P argument.

Configure the DNS server(s) your mail server(s) use to forward dnsbl.njabl.org queries to your rbldnsd server(s). Add the following to named.conf:
```
zone "dnsbl.njabl.org" IN {
        type forward;
        forward first;
        forwarders {
                127.0.0.1 port 530;
        };
};
```
If you're running rbldnsd on a dedicated system (not an existing DNS server), adjust the IP in the forwarders statement appropriately. With the setup above, if your local rbldnsd becomes unavailable, dnsbl.njabl.org queries will fall back to the root-servers. If your network generates a large volume of queries (thousands/sec), it may make sense to run multiple rbldnsd copies of dnsbl.njabl.org on several systems with the rsync update slightly staggered. rbldnsd will not answer queries while reloading the zone data into memory. Depending on the speed of your system and the size of the zone data, reloading could make the rbldnsd server unavailable for several seconds.

If you're running bind 8.x, the port option above is not supported. You'll need to dedicate an IP address to rbldnsd and make bind not listen on that IP by telling it which IPs to listen on. i.e. Setup an IP alias of 127.0.0.2 on your lo interface. Replace the bind config above with:
```
options {
        listen-on {
	        x.x.x.x;
	        127.0.0.1;
        };
};

zone "dnsbl.njabl.org" IN {
        type forward;
        forward first;
        forwarders {
                127.0.0.2;
        };
};
```
replacing x.x.x.x with the IP address of your server. If your server has many IPs, you can list each one, or use CIDR notation such as x.x.x.0/24.
If you haven't done so already, run the rsync script to get a local copy of the dnsbl.njabl.org data. Start up rbldnsd and send it a few test queries. i.e. dig @localhost -p530 2.0.0.127.dnsbl.njabl.org. Assuming that worked properly, restart or issue a reconfig for your named process. Now send the same query to bind. i.e. dig @localhost 2.0.0.127.dnsbl.njabl.org. You should get an answer, and you should see a log entry in querylog showing that bind forwarded the query to your local rbldnsd.
At this point, you should be done and have a working setup that handles dnsbl.njabl.org queries locally using rbldnsd.

Last modified: Saturday, 10-May-2008 20:06:45 EDT