Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-19-2004, 12:35 PM
|
#1
|
Member
Registered: Nov 2003
Location: Virginia
Distribution: Fedora Core 4
Posts: 121
Rep:
|
Create my own DNSBL?
Does anybody know how, or recommend a site with a howto, to create my own DNS BlockList (DNSBL)?
Windows's DNS does not allow me to create a record with a period (".") and I know that to block the ip 192.168.123.201, I would need to create an RBL entry as such: 201.123.168.192.rbl.mydomain.com
I already use spamhaus, sorbs and ordb, but we still get a lot of spam, and most of it is from netblocks I know we don't have clients in. I would like to create a DNSBL that would allow me to block an entire netblock if I needed to (Since we don't have clients in Asia, for example, I could block a spamming APNIC netblock).
|
|
|
10-20-2004, 04:28 AM
|
#2
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
If it's just for your use, then probably a more effective method would be to use a packet filter, either on the receiving MTA itself, or just use rules on your existing firewall. Checking DNSBLs is a lot of overhead since it generates a lot of network traffic for the queries and introduces latency in handling the connections (if the MTA has to wait on completing the connection for a response from the RBL), or you actually have to queue the message to disk and check the IP later.
If you have a Linux box running your edge MTA, you can use iptables to completely block networks that you don't want sending your e-mail (you could do this for only port 25/tcp). If you use some other UNIX-like OS, there are a variety of other packet filters (IPF, IPFW, PF). If the edge MTA is on Windows or some OS without a robust packet filter, you could simply put the offending netblocks in your network firewall rules.
If you really want to setup your own DNSBL, it sounds like you already have the basics down (create A records that are the reverse-quad notation of the IP address to be blocked). You can also use wild-card DNS entries if they're supported by your name server so that you won't have to enter 256 individual records for a /24, you could just wild-card it once. You will need a name server such as BIND, TinyDNS, or one of the others in order to set this up.
|
|
|
10-20-2004, 10:52 PM
|
#3
|
Member
Registered: Nov 2003
Location: Virginia
Distribution: Fedora Core 4
Posts: 121
Original Poster
Rep:
|
Unfortunately, I cannot change my Windows-based MTA. I also learned that we do, in fact, have foreign clients, so dropping packets at the firewall is a last resort. If I use a dnsrbl, I can utilize our existing SMTP gateway to send the NDRs back to blocked recipients so that legitimately blocked clients may have some knowledge and recourse to being blocked, and current clients can be whitelisted. (I also realize that this means a lot of unnecessary NDRs sent to XVSDGKJHEZZD@hotmail.com and the like, but it'll be my arse if a client is blocked without some type of notification.)
I have been looking into figuring out if Windows 2000 DNS will allow wildcard entries (such as *.192.rbl.mydomain.com), and so far all I've found is a lot of "no you can't", "Windows 2003 does it but not 2000" and one "try this registry hack". I will try the registry hack on a server in the lab before touching my primary DNS server.
Meanwhile, I am building a box with linux in the event that the reg hack doesn't work, or my boss is edgy about it. Any thoughts or recommendations between rbldnsd and rbldns?
|
|
|
10-21-2004, 01:38 AM
|
#4
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Well TinyDNS (AKA DJBDNS) is usually fairly easy for newbies to understand, and it has the best security record. It doesn't how the flexibility that BIND does, but for a DNSBL you only need to do a few small subset of normal DNS functions. It looks like rbldns is tailor-made for that, so it would be my recommendation.
Edit: In case it wasn't already clear, rbldns was created by DJB, i.e. the guy who created TinyDNS.
|
|
|
All times are GMT -5. The time now is 11:43 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|