DNSBL Server: Difference between revisions

From Unallocated Space
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
= DNSBL Concepts =
= DNSBL Concepts =
Updated Jan 18, 2014 ajs
== What is a DNSBL? ==
== What is a DNSBL? ==
A DNSBL, DNS Black(or Block) List server is simply a DNS server used to determine if an IPv4 address has a record, "is listed", in a blocklist server's domain.  A DNSBL is used as a second (assuming the firewall is the first) defense check used to determine if a sending server should be prohibited from connecting to your email server.   
A DNSBL, DNS Black(or Block) List server is simply a DNS server used to determine if an IPv4 address has a record, "is listed", in a blocklist server's domain.  A DNSBL is used as a second (assuming the firewall is the first) defense check used to determine if a sending server should be prohibited from connecting to your email server.   
Line 28: Line 30:


DNS Servers are generally light weight and high performance.  A decent DNS Server can handle millions of DNSBL records and process hundreds of queries per second.
DNS Servers are generally light weight and high performance.  A decent DNS Server can handle millions of DNSBL records and process hundreds of queries per second.
= Linux Based DNSBL Implementation =
== Requirements ==


= Windows Based DNSBL Implementation =
= Windows Based DNSBL Implementation =
Line 79: Line 84:


<strong>Congratulations!  You have completed the DNSBL Server setup!</strong>
<strong>Congratulations!  You have completed the DNSBL Server setup!</strong>
==== Create a Zone and Delegation Name Server for the DNS White List ====
11. Right click the ''Forward Lookup Zones'' and select the ''New Zone...'' menu item.
12. Create a ''Primary Zone'' named '''dnswl.emaillab.net''';  finish the dialog (defaults are ok)
13. Right Click on the ''emaillab.net'' domain and select the ''New Delegation...'' menu item.
14. Enter '''dnswl''' for the Delegated Domain field; click Next
15. Add a Name server with FQDN = ''email-lab-dnsbl'' and Resolve IP address = 172.30.10.53
16. Finish the New Delegation wizard.
<strong>Congratulations!  You have completed the DNSBL Server setup!</strong>
* FAQ = Why use <i>Delegations</i> instead of just using Forward Zones?
Using a simpler Forward Zone works fine!  The purpose for using Delegations is to make it simple to adapt this lab example to a scenario where the DNS server with the actual DNSBL and DNSWL zones is not in your network and the zones for dnsbl.emaillab.net and dnswl.emaillab.net use the same "emaillab.net" domain.<br />
For example, if I want to enable a friend's remote DNS server to use the DNSBL.emaillab.net and DNSWL.emaillab.net running on my DNS server privately, without using a public registered Internet domain name, all they have to do is create a zone and delegation records for the right IP address.


=== EMail Lab Exercise - Adding DNS Records to your DNSBL Server ===
=== EMail Lab Exercise - Adding DNS Records to your DNSBL Server ===
Line 106: Line 126:
  2.  Add a <b>Host(A)</b> record for <b>*.10.30.172</b> with IP Address <b>127.0.0.2</b>
  2.  Add a <b>Host(A)</b> record for <b>*.10.30.172</b> with IP Address <b>127.0.0.2</b>
  3.  Test by "ping 22.10.30.172.dnswl.emaillab.net" and it will resolve to 127.0.0.2
  3.  Test by "ping 22.10.30.172.dnswl.emaillab.net" and it will resolve to 127.0.0.2
4.  Test any IP address in the 172.30.10.0/24 subnet and it will resolve to 127.0.0.2


[[File:EMail-Lab-DNS 001.png]]
=== Scripting Windows DNS Entries ===
DNS Entries can be scripted using the DNSCMD.EXE console command program.  The following is an example for adding (A) Host record for IPv4 Network 37.30.23.0/24 to the DNSBL's DNS.  My personal practice is to also add a (TXT) DNS record with some reference information like the original reverse DNS PTR Lookup results and a datetime stamp.
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.23.30.37 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.23.30.37 1200 TXT "IP BLOCK 37.30.23.0/24" "37.30.23.86.nat.umts.dynamic.t-mobile.pl" "[20140115184406]"
 
More script example:
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.44.202.50 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.44.202.50 1200 TXT "IP BLOCK 50.202.44.0/24" "50-202-44-58-static.hfc.comcastbusiness.net" "[20140117084009]"
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.56.156.212 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.56.156.212 1200 TXT "IP BLOCK 212.156.56.0/24" "212.156.56.62.static.turktelekom.com.tr" "[20140118215557]"


=== DNS Data Files ===
=== DNS Data Files ===
Line 117: Line 146:
;      Zone version:  9
;      Zone version:  9
;
;
@                      IN  SOA email-lab-dnsbl. hostmaster. (
@                      IN  SOA email-lab-dnsbl. hostmaster. (
                         9            ; serial number
                         9            ; serial number
Line 124: Line 152:
                         86400        ; expire
                         86400        ; expire
                         3600      ) ; default TTL
                         3600      ) ; default TTL
;
;
;  Zone NS records
;  Zone NS records
;
;
@                      NS email-lab-dnsbl.
@                      NS email-lab-dnsbl.
email-lab-dnsbl.        0 A 172.30.10.53
email-lab-dnsbl.        0 A 172.30.10.53
;
;
;  Zone records
;  Zone records
;
;
;
;  Delegated sub-zone:  dnsbl.emaillab.net.
;  Delegated sub-zone:  dnsbl.emaillab.net.
Line 143: Line 165:
email-lab-dnsbl.        0 A 172.30.10.53
email-lab-dnsbl.        0 A 172.30.10.53
;  End delegation
;  End delegation
;
;
;  Delegated sub-zone:  dnswl.emaillab.net.
;  Delegated sub-zone:  dnswl.emaillab.net.
Line 159: Line 179:
;      Zone version:  5
;      Zone version:  5
;
;
@                      IN  SOA email-lab-dnsbl. hostmaster. (
@                      IN  SOA email-lab-dnsbl. hostmaster. (
                         5            ; serial number
                         5            ; serial number
Line 166: Line 185:
                         86400        ; expire
                         86400        ; expire
                         3600      ) ; default TTL
                         3600      ) ; default TTL
;
;
;  Zone NS records
;  Zone NS records
;
;
@                      NS email-lab-dnsbl.
@                      NS email-lab-dnsbl.
;
;
;  Zone records
;  Zone records
;
;
66.77.88.99            A 127.0.0.2
66.77.88.99            A 127.0.0.2
spam                    A 127.0.0.2
spam                    A 127.0.0.2
Line 187: Line 202:
;      Zone version:  7
;      Zone version:  7
;
;
@                      IN  SOA email-lab-dnsbl. hostmaster. (
@                      IN  SOA email-lab-dnsbl. hostmaster. (
                         7            ; serial number
                         7            ; serial number
Line 194: Line 208:
                         86400        ; expire
                         86400        ; expire
                         3600      ) ; default TTL
                         3600      ) ; default TTL
;
;
;  Zone NS records
;  Zone NS records
;
;
@                      NS email-lab-dnsbl.
@                      NS email-lab-dnsbl.
;
;
;  Zone records
;  Zone records
;
;
*.10.30.172            A 127.0.0.2
*.10.30.172            A 127.0.0.2
notspam                A 127.0.0.2
notspam                A 127.0.0.2
</pre>
</pre>

Revision as of 20:31, 18 January 2014

DNSBL Concepts

Updated Jan 18, 2014 ajs

What is a DNSBL?

A DNSBL, DNS Black(or Block) List server is simply a DNS server used to determine if an IPv4 address has a record, "is listed", in a blocklist server's domain. A DNSBL is used as a second (assuming the firewall is the first) defense check used to determine if a sending server should be prohibited from connecting to your email server.

Typical IP addresses listed in a DNSBL

  • Known Repeat Spam sources
  • Commercial ISP DHCP address ranges whose customers should be using the ISP's email services
  • Rogue IP addresses that are unregistered

Why Would a Company Want its Own DNSBL?

Good question! There are free, public, DNSBLs, so why have your own?

  • There are unlisted bad guys sending spam or malware to your company
  • Your company receives more than 1000 emails per day or otherwise exceeds the "free use" policies of the DNSBL services.
  • Local DNSBL performance reduces your email server's work load and idle time waiting for public DNSBL response.

Pros and Cons of Running a Private DNSBL

  • PRO: Your email server can more efficiently identify and drop connections from repeat offenders. Public DNSBLs are slower to respond.
  • PRO: It makes you feel good when you can block an annoyance and they have to ask You to unblock them.
  • CON: Some of your customers, suppliers, and consultants use the same email services that send spam. If not careful, you might block a spammer and your customer with the same listing. (e.g. accidentally block email from yahoo.com servers).
  • CON: The Internet IP address space is BIG (even for IPv4) and the process of identifying list candidates is a tedious maintenance task.


How Does a DNSBL Work?

A DNSBL server has one or more domains with records that are structured for storing IPv4 Addresses for efficient reverse lookup within the zone.

The storage and lookup process is similar to a Reverse Lookup used to find a FQDN (Fully Qualified Domain Name) for an IP address. The difference is that a DNSBL lookup is a Forward Lookup that looks up a FQDN constructed using the reverse IP Address and the DNSBL server's domain then resolves it to an IP address. The IP addresses returned by a DNSBL are typically 127.0.0.2 to 127.0.0.254.

DNS Servers are generally light weight and high performance. A decent DNS Server can handle millions of DNSBL records and process hundreds of queries per second.

Linux Based DNSBL Implementation

Requirements

Windows Based DNSBL Implementation

Requirements

  • Windows Server 2000 or later
  • Microsoft DNS Server

EMail Lab Exercise - Windows Server 2012 R2, DNS Server Setup

1.  Create a typical Windows Server VM with 1 Network Ethernet Adapter
2.  Clean Install Windows Server 2012 R2 in a VM
3.  Right-Click on the Network icon (bottom right) and Open Network and Sharing Center
4.  Configure the Ethernet adapter IPv4 (your values may differ)
    * IP Address: 172.30.10.53
    * Subnet Mask: 255.255.0.0
    * Default Gateway: 172.30.0.2
    * DNS Server: 172.30.10.53    Save as the DNS Server
5.  In the Server Manager, Select the Local Server
6.  Configure Time Settings and Host Name, Reboot
7.  In Server Manager, Click "Add Roles and Features" and install the DNS Server Role
8.  Figure out how to pin the DNS Manager to the Task Bar and Start Menu for frequent access
9.  Launch the DNS Server Manager, and Click the "View" menu and Check "Advanced"

Intranet DNS Server Concept

A reason for using an Intranet DNS Server is to resolve FQDNs that have Local IP Addresses. In Windows Active Directory, an Intranet DNS Server that is integrated with Active Directory is required. The DNS queries for FQDNs in non-local domains are usually forwarded to an Internet DNS server, like Google's 8.8.8.8.

DNSBL Server

A DNSBL Server is a DNS Server with one or more Forward Zones whose Type A records are for FQDNs formatted with the reverse IPv4 Address and domain. Name Server Delegations are defined in the Intranet DNS Server to enable queries to be made to the DNSBL zone without requiring the DNSBL Server to forward queries for unknown FQDNs. It is hard to explain, easier to demonstrate.

EMail Lab Exercise - Configuring the DNSBL Server

Create Forward Primary Zone for the DNSBL Domain

  • NOTE: DO NOT USE YOUR MAIN DOMAIN FOR THE DNSBL DOMAIN - especially if using Active Directory!
  • Our DNSBL domain name will be emaillab.net
  • Our Server's Host Name is email-lab-dnsbl
1.  Right click the Forward Lookup Zones and select the New Zone... menu item.
2.  Create a Primary Zone named emaillab.net;  finish the dialog (defaults are ok)

Create a Zone and Delegation Name Server for the DNS Black List

5.  Right click the Forward Lookup Zones and select the New Zone... menu item.
6.  Create a Primary Zone named dnsbl.emaillab.net;  finish the dialog (defaults are ok)
7.  Right Click on the emaillab.net domain and select the New Delegation... menu item.
8.  Enter dnsbl for the Delegated Domain field; click Next
9.  Add a Name server with FQDN = email-lab-dnsbl and Resolve IP address = 172.30.10.53
10. Finish the New Delegation wizard.

Create a Zone and Delegation Name Server for the DNS White List

11. Right click the Forward Lookup Zones and select the New Zone... menu item.
12. Create a Primary Zone named dnswl.emaillab.net;  finish the dialog (defaults are ok)
13. Right Click on the emaillab.net domain and select the New Delegation... menu item.
14. Enter dnswl for the Delegated Domain field; click Next
15. Add a Name server with FQDN = email-lab-dnsbl and Resolve IP address = 172.30.10.53
16. Finish the New Delegation wizard.

Congratulations! You have completed the DNSBL Server setup!

Create a Zone and Delegation Name Server for the DNS White List

11. Right click the Forward Lookup Zones and select the New Zone... menu item.
12. Create a Primary Zone named dnswl.emaillab.net;  finish the dialog (defaults are ok)
13. Right Click on the emaillab.net domain and select the New Delegation... menu item.
14. Enter dnswl for the Delegated Domain field; click Next
15. Add a Name server with FQDN = email-lab-dnsbl and Resolve IP address = 172.30.10.53
16. Finish the New Delegation wizard.

Congratulations! You have completed the DNSBL Server setup!

  • FAQ = Why use Delegations instead of just using Forward Zones?

Using a simpler Forward Zone works fine! The purpose for using Delegations is to make it simple to adapt this lab example to a scenario where the DNS server with the actual DNSBL and DNSWL zones is not in your network and the zones for dnsbl.emaillab.net and dnswl.emaillab.net use the same "emaillab.net" domain.

For example, if I want to enable a friend's remote DNS server to use the DNSBL.emaillab.net and DNSWL.emaillab.net running on my DNS server privately, without using a public registered Internet domain name, all they have to do is create a zone and delegation records for the right IP address.

EMail Lab Exercise - Adding DNS Records to your DNSBL Server

Add Simple Host(A) Records

First, we will add simple "spam.dnsbl.emaillab.net" and "notspam.dnsbw.emaillab.net" records so we can easily ping our DNSBL Server domains.

1.  Right Click on the dnsbl.emaillab.net Forward zone
2.  Add a Host(A) record for spam with IP Address 127.0.0.2
3.  Repeat for the dnswl.emaillab.net Forward zone
4.  Test by "ping spam.dnsbl.emaillab.net" and "ping notspam.dnswl.emaillab.net"

Observe that spam.dnsbl.emaillab.net resolves to 127.0.0.2 - your DNSBL Server is working!

Add Host(A) Records for DNSBL Formatted FQDNs

The DNSBL takes FQDNs in the reverse IPv4 format and DNSBL domain. Generally, if the DNSBL query resolves to an IP address, Spam Filters will consider the IP address "Listed" and processes the email accordingly.

For example: IP Address 99.88.77.66 is formatted for our DNSBL as FQDN = 66.77.88.99.dnsbl.emaillab.net and we want our DNSBL Server to resolve this FQDN to 127.0.0.2

To Black List IPv4 Address 99.88.77.66 in our DNSBL do the following:

1.  Right Click on the dnsbl.emaillab.net Forward zone
2.  Add a Host(A) record for 66.77.88.99 with IP Address 127.0.0.2
3.  Test by "ping 66.77.88.99.dnsbl.emaillab.net"

Now you know how to add a host IP address so it can be blocked by your spam filter!

Unfortunately, the IPv4 DNSBL architecture is really only designed for CIDR/24, /16, or /8 boundaries because our FQDN is constructed from the IP Address Octets. You can List entire networks by adding the .* wildcard to end of the FQDN.

For example: To White List all the IP Addresses subnet 172.30.10.0/24 do this:

1.  Right Click on the dnswl.emaillab.net Forward zone
2.  Add a Host(A) record for *.10.30.172 with IP Address 127.0.0.2
3.  Test by "ping 22.10.30.172.dnswl.emaillab.net" and it will resolve to 127.0.0.2

Scripting Windows DNS Entries

DNS Entries can be scripted using the DNSCMD.EXE console command program. The following is an example for adding (A) Host record for IPv4 Network 37.30.23.0/24 to the DNSBL's DNS. My personal practice is to also add a (TXT) DNS record with some reference information like the original reverse DNS PTR Lookup results and a datetime stamp.

dnscmd localhost /RecordAdd dnsbl.emaillab.net *.23.30.37 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.23.30.37 1200 TXT "IP BLOCK 37.30.23.0/24" "37.30.23.86.nat.umts.dynamic.t-mobile.pl" "[20140115184406]"

More script example:

dnscmd localhost /RecordAdd dnsbl.emaillab.net *.44.202.50 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.44.202.50 1200 TXT "IP BLOCK 50.202.44.0/24" "50-202-44-58-static.hfc.comcastbusiness.net" "[20140117084009]"

dnscmd localhost /RecordAdd dnsbl.emaillab.net *.56.156.212 1200 A 127.0.0.2
dnscmd localhost /RecordAdd dnsbl.emaillab.net *.56.156.212 1200 TXT "IP BLOCK 212.156.56.0/24" "212.156.56.62.static.turktelekom.com.tr" "[20140118215557]"

DNS Data Files

Zone Data File for emaillab.net.dns

;
;  Database file emaillab.net.dns for Default zone scope in zone emaillab.net.
;      Zone version:  9
;
@                       IN  SOA email-lab-dnsbl. hostmaster. (
                        		9            ; serial number
                        		900          ; refresh
                        		600          ; retry
                        		86400        ; expire
                        		3600       ) ; default TTL
;
;  Zone NS records
;
@                       NS	email-lab-dnsbl.
email-lab-dnsbl.        0	A	172.30.10.53
;
;  Zone records
;
;  Delegated sub-zone:  dnsbl.emaillab.net.
;
dnsbl                   0	NS	email-lab-dnsbl.
email-lab-dnsbl.        0	A	172.30.10.53
;  End delegation
;
;  Delegated sub-zone:  dnswl.emaillab.net.
;
dnswl                   0	NS	email-lab-dnsbl.
email-lab-dnsbl.        0	A	172.30.10.53
;  End delegation

Zone Data File for dnsbl.emaillab.net.dns

;
;  Database file dnsbl.emaillab.net.dns for Default zone scope in zone dnsbl.emaillab.net.
;      Zone version:  5
;
@                       IN  SOA email-lab-dnsbl. hostmaster. (
                        		5            ; serial number
                        		900          ; refresh
                        		600          ; retry
                        		86400        ; expire
                        		3600       ) ; default TTL
;
;  Zone NS records
;
@                       NS	email-lab-dnsbl.
;
;  Zone records
;
66.77.88.99             A	127.0.0.2
spam                    A	127.0.0.2

Zone Data File for dnswl.emaillab.net.dns

;
;  Database file dnswl.emaillab.net.dns for Default zone scope in zone dnswl.emaillab.net.
;      Zone version:  7
;
@                       IN  SOA email-lab-dnsbl. hostmaster. (
                        		7            ; serial number
                        		900          ; refresh
                        		600          ; retry
                        		86400        ; expire
                        		3600       ) ; default TTL
;
;  Zone NS records
;
@                       NS	email-lab-dnsbl.
;
;  Zone records
;
*.10.30.172             A	127.0.0.2
notspam                 A	127.0.0.2