[Mimedefang] Local DNSBL lookups with rbldnsd (was: surbl)

Royce Williams royce.williams at acsalaska.net
Fri Apr 30 19:21:01 EDT 2004 

On 4/13/2004 6:15 PM, Stephen Smoogen wrote:

 > Personally I think any RBL is a DoS waiting to happen. All it takes is
 > them being down/broken/etc and poof your servers are down for a bit with
 > the usual management questions of why did you allow it to happen.
 >
 > The only way I would use an RBL in a large production enviroment is if
 > they had a DB push mechanism where I could sign up for a daily DB4 and
 > source file from either a central site or some osrt of P2P cloud.
 >
 > But I am a grumpy young sysadmin.

One of the better ones (SBL+XBL) lets you set this up for free, if
you're "big enough" (250K+ queries/day).

SBL+XBL page:		http://www.spamhaus.org/xbl/index.lasso
Rsync zone access:	http://www.spamhaus.org/service/


I had the same DoS worry; using a combination of sbl-xbl.spamhaus.org
with rbldnsd and rsync, we've got a copy of the zone locally on each
mail server, coexisting nicely with the caching BIND already there.
It required a little setup up front, but we've been pleased with the
results.  We've also reduced DNS traffic by a substantial amount --
I refused 1.3M connections yesterday using SBL+XBL.  Because it's
effectively local, it's the first DNSBL check we perform now.

The Spamhaus folks were very helpful and they had a hole poked for
our rsync within a couple of hours of my follow-up email about our
setup.  They even have the rsyncs distributed across particular
parts of the hour, assigning a minute to you for the SBL and the
XBL.  We're never more than an hour stale.

A potential speed bump is their requirement to use rbldnsd.  They
only push the lists out in rbldnsd format, but it's worth the
learning curve to use it, for those of you not familiar with it.
It does wildcarded/templated TXT responses for DNSBLs, has a small
memory footprint, and also speaks CIDR.  You can also combine
separate zone files into a single zone, accessed with one lookup.

	http://www.corpit.ru/mjt/rbldnsd.html

Our empirical testing of looking up even information that was already
cached made rbldnsd *very* attractive (~5.5ms/lookup for BIND vs
~.5ms/lookup for rbldnsd).  There are some large lists that we keep
in access.db files that we'll be them converting to rbldnds zones,
so that we don't have to pay the per-box cost of distributing the
access file and then generating the .db -- and because the sendmail
access file doesn't speak CIDR.

There's a FreeBSD rbldnsd port that installed quite nicely, and the
maintainer is quick with updates.

We're using forwarding as described in http://njabl.org/rsync.html :

zone "sbl-xbl.spamhaus.org" IN {
         type forward;
         forward first;
         forwarders {
                 127.0.0.2;
         };
};

... so it's kept private and fast, and coexists with our BIND that's
on 127.0.0.1.  I had never previously had to figure out how to create
a loopback alias before in FreeBSD, but it works like a charm.

In short -- if they get DoSed, Slashdot will tell me before my mail farm
does, making me a less grumpy young sysadmin. :)

You can tell I was on vacation; sorry for the stale posts.

-royce

-- 
------------------------------------------------------------------------
Royce D. Williams                                    IP Engineering, ACS
work: [first.last]@acsalaska.net                  PGP: 3FC087DB/1776A531
personal: [first]@alaska.net                 http://www.tycho.org/royce/

More information about the MIMEDefang mailing list