LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-19-2004, 12:35 PM   #1
wytiger
Member
 
Registered: Nov 2003
Location: Virginia
Distribution: Fedora Core 4
Posts: 121

Rep: Reputation: 15
Question Create my own DNSBL?


Does anybody know how, or recommend a site with a howto, to create my own DNS BlockList (DNSBL)?

Windows's DNS does not allow me to create a record with a period (".") and I know that to block the ip 192.168.123.201, I would need to create an RBL entry as such: 201.123.168.192.rbl.mydomain.com

I already use spamhaus, sorbs and ordb, but we still get a lot of spam, and most of it is from netblocks I know we don't have clients in. I would like to create a DNSBL that would allow me to block an entire netblock if I needed to (Since we don't have clients in Asia, for example, I could block a spamming APNIC netblock).
 
Old 10-20-2004, 04:28 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
If it's just for your use, then probably a more effective method would be to use a packet filter, either on the receiving MTA itself, or just use rules on your existing firewall. Checking DNSBLs is a lot of overhead since it generates a lot of network traffic for the queries and introduces latency in handling the connections (if the MTA has to wait on completing the connection for a response from the RBL), or you actually have to queue the message to disk and check the IP later.

If you have a Linux box running your edge MTA, you can use iptables to completely block networks that you don't want sending your e-mail (you could do this for only port 25/tcp). If you use some other UNIX-like OS, there are a variety of other packet filters (IPF, IPFW, PF). If the edge MTA is on Windows or some OS without a robust packet filter, you could simply put the offending netblocks in your network firewall rules.

If you really want to setup your own DNSBL, it sounds like you already have the basics down (create A records that are the reverse-quad notation of the IP address to be blocked). You can also use wild-card DNS entries if they're supported by your name server so that you won't have to enter 256 individual records for a /24, you could just wild-card it once. You will need a name server such as BIND, TinyDNS, or one of the others in order to set this up.
 
Old 10-20-2004, 10:52 PM   #3
wytiger
Member
 
Registered: Nov 2003
Location: Virginia
Distribution: Fedora Core 4
Posts: 121

Original Poster
Rep: Reputation: 15
Unfortunately, I cannot change my Windows-based MTA. I also learned that we do, in fact, have foreign clients, so dropping packets at the firewall is a last resort. If I use a dnsrbl, I can utilize our existing SMTP gateway to send the NDRs back to blocked recipients so that legitimately blocked clients may have some knowledge and recourse to being blocked, and current clients can be whitelisted. (I also realize that this means a lot of unnecessary NDRs sent to XVSDGKJHEZZD@hotmail.com and the like, but it'll be my arse if a client is blocked without some type of notification.)

I have been looking into figuring out if Windows 2000 DNS will allow wildcard entries (such as *.192.rbl.mydomain.com), and so far all I've found is a lot of "no you can't", "Windows 2003 does it but not 2000" and one "try this registry hack". I will try the registry hack on a server in the lab before touching my primary DNS server.

Meanwhile, I am building a box with linux in the event that the reg hack doesn't work, or my boss is edgy about it. Any thoughts or recommendations between rbldnsd and rbldns?
 
Old 10-21-2004, 01:38 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Well TinyDNS (AKA DJBDNS) is usually fairly easy for newbies to understand, and it has the best security record. It doesn't how the flexibility that BIND does, but for a DNSBL you only need to do a few small subset of normal DNS functions. It looks like rbldns is tailor-made for that, so it would be my recommendation.

Edit: In case it wasn't already clear, rbldns was created by DJB, i.e. the guy who created TinyDNS.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail behind router fails with 553 DNSBL sixerjman Linux - Networking 1 11-21-2005 08:26 AM
trouble with DNSBL jsheffie Linux - Networking 6 03-29-2005 03:53 PM
sendmail and dnsbl cholo Linux - Software 0 11-16-2004 02:02 AM
Sendmail, m4 configuration for dnsbl jastorqu Linux - Networking 0 05-27-2004 05:24 PM
sendmail, dnsbl and access benjithegreat98 Linux - Software 0 12-15-2003 10:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration