How to Create a Local DNSBL List?

hcl-bot · June 12, 2003, 1:06pm

Hello,

Could someone can tell me How to create a local dnsbl. What tools or soft do I need to to that.

Our servers are running windows 2000.

I Want to have our own DNSBL that we will be able to maintain and block the Ip adress that we want.

I want to create a DNSRBL list like: list.mycompany.com

and then configure our Domino Server to check all incoming email with this list.

In fact we are using several Public DNSBl list like bl.spamcop.net, but How to create mine ??

Thank you for your help.

hcl-bot · June 12, 2003, 1:31pm

Subject: How to Create a Local DNSBL List?

You can easily block them by adding them to your smtp inbound controls under:

“Deny messages from the following internet address/domains”. It’s not the same as a DNS lookup but it does block them. I’m figuring it does it much quicker too as there’s no lookup – the sites are in the config doc.

hcl-bot · June 12, 2003, 1:46pm

Subject: RE: How to Create a Local DNSBL List?

I know that, but we are limited in the number of IP adress that we can add to this field. Do you know how many I can add to this field ?

I have to block thousand IPs, and I also think that this is not possible to use Group in that field.

I thought to our Firewall, but there we have to type each Ip manually to block them.

I’m also using Symantec Content Filtering for Domino 3.X, but it seems not to be able to block email base on the Ip adress it was sent.

I’m looking to a solution to Block Ip adress where I’ll be able to feed it by importing some text file containing a lot of Ip adress.

Any thought about this are welcome…

hcl-bot · June 12, 2003, 1:59pm

Subject: RE: How to Create a Local DNSBL List?

If memory serves correctly, DNSBLs work on the principle of DNS. You submit the hostname of the connecting machine to the DNSBL, and it returns either 127.0.0.1 or 127.0.0.2 as the address. Depending on the IP address returned, you accept or reject the mail.

In order to create your own, you just need your own DNS server (like BIND) and a facility to bulk-create zone files to import into it.

Cheers!

Luke

hcl-bot · June 12, 2003, 2:31pm

Subject: RE: How to Create a Local DNSBL List?

You are right with the return ip 127.0.0.2 or anything else.

So far, my company is using the DNS Server of windows 2000 and we already have many zones created for names to Ip resoulution.

The first thing the DNSBL do is to revert your Ip address using the IP4R Protocol. so 127.0.0.2 will become 2.0.0.127

After this they add the name of the list like

bl.spamcop.net

so if you ping 2.0.0.127.spamcop.net you will get a reply from them.

If I tried the same thing we our already configured zone that we have and it just not working.

Also, What should be the name of the list ? Is that the dns name of the server ?

I’m very mixed up…

Also, Does anyone of you know a tool to bulk create a dns zone intp Windows 2000 is DNS Server ?

Thank.

hcl-bot · June 12, 2003, 3:14pm

Subject: RE: How to Create a Local DNSBL List?

That should be pretty simple to work out.

Make yourself a new zone - call it “my.blacklist.bozo.com” or whatever floats your boat.

Now, make the entries (in reverse-style) as hosts in the zone, each pointing to 127.0.0.2 (or anything for that matter, I don’t believe it makes a difference).

Make sure your Domino server is using that DNS server for lookups, and add your new domain (my.blacklist.bozo.com) to your list of DNSBL sites you scan.

You will get a response from your local server on that address (if now before from one of the other sites you use)…

I employ this techniqe (as does my ISP, who has their own list) and it works quite well!

hcl-bot · June 12, 2003, 8:36pm

Subject: RE: How to Create a Local DNSBL List?

Thank Carter for this explication, but I’m missing something.

When you say make the entry in reverse-style as host in the zone, it mean that I have to use the “dot” in the Host Name Field and Windows 2000 does not accept this caractere in that field.

Does that means that I need a DNS not running on Windows 2000 ?

Give me a real example, maybe I’m not doing the good thing.

Thank,

hcl-bot · June 13, 2003, 11:07am

Subject: You need to create reverse lookup zone.

hcl-bot · June 16, 2003, 10:15am

Subject: RE: How to Create a Local DNSBL List?

I just read the message about W2K servers and the issues… I run a Linux/BIND DNS server, so I hadn’t thought about the diffrences when I posted my previous reply.

You do NOT need a reverse-lookup zone for this to work. And unfortunately, I know of no way of importing a text file of ip addresses into W2K’s DNS Server.

That said… the bad news is this - to make a reverse-lookup zone “work” in W2K DNS, you have to make a boatload of entries…

Here’s an example. Say I wanted to block IP address 11.12.13.14. I have a “bad DNS zone” off of my ‘Root’ zone - but you could make any zone you wanted to, so long as you don’t mind resolving it (in other words, you wouldn’t want to name your zone “google.com” if you ever wanted to be able to resolve the “real” names/address for that site).

So my root AD domain is “fmpa.local” and I want to call my “bad” zone “DNSBL”. So I made a new domain (from within the fmpa.local tree) called “DNSBL”. For the lookup to process, you need to reverse-style the IP address you want to block… AND make domains for each of those octets. Ick. So here we go.

Our “bad” IP address is 11.12.13.14 - which we need to turn around to 14.13.12.11. To do this, we need to make new domains for each octet in the address, going forward from the “real” address. So from within the new dnsbl.fmpa.local, I would add a new domain called “11”.

Open that “folder”, add a new domain called “12”.

Open that folder, add a new domain called “13”.

Then add a HOST in the 13 domain called “14”, and make it point to 127.0.0.2.

Now, when you do a lookup, you should get a reply… eg,

nslookup 14.13.12.11.dnsbl.fmpa.local

should reply “127.0.0.2” if you’re using that server for your DNS from the computer you’re doing the lookup from.

Yes, it’s probably a pain in the a$$, but unless you can add another box just for these bad domains, I don’t see much of a way around it with W2K. It might actually take you LESS time to setup a Linux box with BIND8 to do the same work for you, and just use it for this special purpose. You could easily get by with a 486-class workstation for just doing this little bit of work!

Anyway. Long answer to what should be a simple problem…

hcl-bot · June 13, 2003, 2:24am

Subject: How to Create a Local DNSBL List?

We have tried to do this with W2K and it is far from straightforward.

If you have the option of running a Linux or other Unix style box, then DJBDNS is probably your answer:

http://cr.yp.to/djbdns/rbldns.html

hcl-bot · June 13, 2003, 1:41pm

Subject: RE: How to Create a Local DNSBL List?

I will give this a try… we are having some linux server in the cie.

Even If I was able to accomplish this with w2k, I need a way to fill up the list with Ip adress from a txt file.

Thank you Chris !

Just for my Information, does some of you were sucessfull with W2K ?

hcl-bot · November 2, 2003, 3:59pm

Subject: How to Create a Local DNSBL List?

I was just searching this list, and just wanted to clear this up for the hate group of linux admins out there also running windows 2000 or 2003 servers, and won’t take the time to read the book. (If that’s you, then in your case it would be much faster to setup a linux machine with bind, since you hate Microsoft so much so you don’t want to learn how to use it.)

For the non-AD dns zones, you will find the text DNS zone files check under %systemroot%\system32\dns\

folder. To create the text versions, you can unselect active directory mode in the MMC properties or you can just create a standard primary zone. That zone becomes, or is a text file under that %systemroot%\system32\dns directory. You can import from or export to, your linux dns text files this way. You can later convert it back and forth to and from AD integrated mode if you want better integrated windows support than the standard file mode gives you. Linux bind and the standard file mode in windows, gives you few and weak security options compared to AD integrated zones. AD is not always the best choice in mixed environments, so read the MS knowledgebase to figure out what is best for your environment.

It’s also very easy to setup linux and windows dns servers hosting the same dns zone, using primary, secondarys, and forwarders to back each other up. (This is a good method to use for fault tolerance, since worms and crack attacks are capable of destroying either system, at anytime, no matter what the ‘experts’ say.)

Here is a sample of the text file under windows DNS. I’ve cut off our dnsbl list, but just to illustrate Windows DNS does the same job all the DNS’s do.

;

; Database file dnsbl.mydomain.com.dns for dnsbl.mydomain.com zone.

; Zone version: 2

;

@ IN SOA myserver.mydomain.com. hostmaster.mydomain.com. (

                    	2            ; serial number

                    	900          ; refresh

                    	600          ; retry

                    	86400        ; expire

                    	3600       ) ; default TTL

;

; Zone NS records

;

@ NS myserver.mydomain.com.

;

; Zone records

; (Add your dns bl entries in reverse ip format like the entry below. - Joe)

238.194.55.68 A 127.0.0.2

-Joe Rose

—No matter the OS, all servers must acomplish the same tasks. Lets put an end to OS rivalry and work together.–