NAME
dnsbls -- a lightweight nameserver based on BDB
distributed as perl module Mail::SpamCannibal::DNSBLserver
SYNOPSIS
dnsbls [options]...
DESCRIPTION and OPERATION
There is no perl module for dnsbls
. This is a documentation shell.
See IPTables::IPv4::DBTarpit::Tools to manipulate and examine the dnsbls
database(s).
dnsbls
is a C daemon that is a specialized name server providing DNSBL domain name services for the Mail::SpamCannibal set of programs from their database implemented using the Berkeley DB database found in all Linux distributions. dnsbls
is configured for concurrent use of the database, allowing similtaneous access and update of the database by other applications.
dnsbls
returns A, NS, MX, TXT, SOA, and optionally AXFR records about its immediate environment and numeric records in its tarpit and blcontrib databases. Ordinary A, NS, MX, and SOA records are returned for the environment while unique A and TXT records are returned when queried about numeric hosts.
DNS query format
The DNS query format for numeric hosts follows the convention used by other DNSBL servers. The IP address of the target host is reversed and the zone name of the DNSBL server zone is appended. For example, if you want to see if 172.16.12.34 is listed in the bl.spamcannibal.com zone, you would look up the A record for 34.12.16.172.bl.spamcannibal.com
query about 172.16.12.34 look up 34.12.16.172.bl.spamcannibal.com
DNS answer format
If the IP address is not listed in the database, the DNSBL server will report that the A record is non-existent. If the IP is listed in the database, an A record will be returned with a value of 127.xxx.xxx.xxx
127.0.0.2 added by this installation for spam violations 127.0.0.X added because it was found on another DNSBL list
TXT records are available for each numeric record returned. For return records of 127.0.0.2, a default message is returned that was specified with the command line -e option (more below). If the IP address is listed in the blcontrib database, then the text message found there is returned in the TXT message.
Typically, rather than query for an A record, a query for type ANY will return both the A record and the TXT record if the target IP address is found in the DNSBL's databases.
INSTALLATION
To build the dnsbls
daemon type the following:
perl Makefile.PL
make
make test
make install
To restore the default directory configurations type:
rm config.db
Adjust the permissions for "dnsbls" and its installation directories. This is not done automatically since it may involve system directories.
Copy <install/directory>/config/dnsbls.conf.sample
to <install/directory>/config/dnsbls.conf
and edit the configuration to fit your site.
The Berkeley DB environment and databases can be created automatically. However it is recommend that you use the initdb.pl script in the ..../Mail/SpamCannibal distribution directory. Adjust the permissions of the files and directories so that they are accessible by the various applications that will be using the information in the databases.
Lastly, copy rc.dnsbls to your startup directory so it is executed at boot up as:
rc.dnsbls start
Because the dnsbls
daemon has only concurrent access to the database, applications should not be written which use db->cursor operations these can block dameon access for normal put and sync operations. Instead, use repetitive read-by-record-number operations to gain sequential access to the data.
sc_zoneload
The script sc_zoneload can be used to load a BIND zone file or a file created by the BIND 'dig' utility or the Net::DNS::ToolKit - dig.pl utility into the dnsbls database. Please note that ALL 127.0.0.2 RESPONSES ARE CONVERTED TO 127.0.0.3 unless the -e switch is used with this utility. See "DNS query format" above.
DEPENDENCIES
Berkeley DB 2.6.4 http://www.sleepycat.com/
for testing and sc_zoneload support
Net::DNS::Codes, version 0.06
Net::DNS::ToolKit, version 0.07
IPTables::IPv4::DBTarpit::Tools, version 0.11
OPTIONS - short version
Options:
-z : Zone Name: bl.domain.com [default: this hostname]
-n : Name Servers: abc.domain.com (Note 1)
-N : same as -n, but sets host name (Note 1)
-a : NS Address xxx.xxx.xxx.xxx [default: lookup via DNS]
...there can be more than one set of entrys
-n : Another NS dul.domain.com (up to 15)
-a : eth0 NS Address yyy.yyy.yyy.yyy
-a : eth1 another NS Address (up to 10)
-m : 10 mark preference for MX entry (Note 2)
-s : 60 : SOA negative caching interval
-u : 43200 : SOA update/refresh interval
-y : 3600 : SOA retry interval
-x : 86400 : SOA expire
-t : 10800 : SOA ttl/minimum
-c : SOA zone contact: contact@somewhere.com
-e : ERROR: this RBL's error message "http://....."
-b : Block AXFR transfers
-L : Limit zonefile build transfer rate (default 200,000 cps)
-C : Continuity (default allow zonefile discontinuity)
-r : Alternate DB root directory [default: /var/run/dbtarpit]
-i : Alternate tarpit DB file [default: tarpit]
-j : Alternate contrib DB file [default: blcontrib]
-k : Alternate evidence DB file [default: evidence]
-p : Port number [default: 53]
-d : Do NOT detach process.
-l : Log activity to syslog (Note 3)
-v : Verbose logging to syslog
-o : Output to stdout instead of syslog (Note 4)
-V : Print version information and exit
-T : Test mode - Print out debug info and exit
-P : Enable promiscious reporting of contributed entries (Note 5)
-g : Internal test flag - tcpmode, see ns.c, t/ns.t, CTest.pm::t_mode
-h : Print this help information
-? : Print this help information
Note 1:
Name servers must be specified on the command line since this is the server
that will ultimately answer requests for NS information about this zone.
If the name server is another host, you don't have to specify the IP
address(es). If not specified on the command line, IP address(es) will be
retrieved via a DNS query. Your resolver must work! Use the -N switch to set
to SOA host name as well as the IP address reported for the dnsbls host.
If not set in this manner, it will default to the host name.
Multiple NS entries may be made (up to 15), each with multiple IP addresses
(up to 10). IP address entries must follow their NS entry and appear before
the next subsequent NS entry. Continuation lines may be used as a convenience
if the line length gets too long
Note 2:
MX (mail server) records are entered in the same manner as NS records.
The -m (NN) option is specified on the command line following either the
name entry, -n foo.bar.com, or address entry, -a xx.xx.xx.xx, if used.
Note 3:
'kill -USR1 <dnsbls_PID>' to toggle logging on and off.
If logging was not enabled at start this sets the '-l' flag
If logging (-l | -v) are set this saves the value and turns off logging
If logging is presently toggled off it restores the saved level (-l | -v)
Note 4:
This sends log information to stdout rather than to syslog. This option
also implies and sets the -d option (Do NOT detach process).
Note 5:
Entries contributed to the tarpit by remote DNSBL's are not normally
reported by this DNSBL server. To do so would allow the addition of
a blocked host to a network of contributing tarpit based DNSBL servers
that could never be removed due to feed back between the servers.
ENABLE this option only after careful consideration.
OPTIONS - long version
-z bl.domain.name
Specify the Zone Name for which this server is authoratative. If not specified, the hostname of the server is used.
i.e. thishost.foo.bar.com
-n ns1.nsdomain.com
Specify one or more NS or MX servers that for this zone. If the server is not THIS host, is not necessary to specify the IP address(es). If the IP address(es) are not specified on the command line with the -a option, they will be retrieved via a DNS query. Your resolver must work!
Multiple NS or MX entries may be made (up to 15), each with multiple IP addresses (up to 10 each). See the entry for option -a below.
-N ns.nsdomain.com
Same as the -n switch, but also sets the host name for the SOA record as well and the name and IP address reported for the dnsbls host.
-a 172.16.2.3
Specifiy the IP address for an NS or MX command line option. IP address entries must follow their NS or MX entry and appear before the next subsequent NS or MX entry on the command line.
If an IP address is not specified for an NS or MX record, it will be retrieved using a DNS query.
Continuation lines may be used as a convenience if the line length gets too long.
i.e. dnsbls -n ns1.spamcannibal.com -a 172.16.2.123 \ -a 192.168.3.4
-m 123
Mark the name entry as an MX server and specify the preference.
i.e. dnsbls -n mx1.spamcannibal.com -m 10 -a 172.16.2.124 -m : 10 mark preference for MX entry (Note 2)
-s nnnn
Set the negative caching interval/minimum TTL for the SOA record itself. The minimum of this value and the TTL/minimum (option -t below) determine the minimum caching interval for authoratitive NXDOMAIN answers
default 0
-u nnnnn
Set the Update/refresh interval for the SOA record (seconds).
default 43200
-y nnnnn
Set the retrY interval for the SOA record (seconds).
default 3600
-x nnnnn
Set the eXpire interval for the SOA record (seconds).
default 86400
-t nnnnn
Set the TTL/minimum for the SOA record (seconds).
default 10800
-c contact@somewhere.com
Set the Contact name for the SOA record (an email address). The @ sign will be replaced by a period (.) automagically. Default if not specified is root@(zone name).
-e "usually some Error message"
Specify the default message for TXT record for numeric queries that are found in the tarpit database but not found in the blcontrib database. The message may be up to 255 characters in length. Usually something like this:
"ERROR: connection tarpited. See: http://www.my.blacklist.org"
-b
Block AXFR transfers. Prevents
dnsbls
from answering AXFR requests. If you wish to allow zone transfers or zone transfers to approved domains, it is recommended that you rundnsbls
behind a firewall and use a standard DNS server as a secondary to provide service to the internet.-L
Limit the rate at which zonefile generation occurs to prevent over-utilization of the host system by the dnsbls daemon.
default 200,000 characters per second
This feature may be disabled by setting it to '0'
i.e. ... -L 0
-C (new but deprecated)
For very large zones and multiple daemons constantly adding and removing records, it is very difficult to get a contiguous zone dump where the starting and ending serial number is constant. Instead, re-sync the cursor to ignore BerkeleyDB's behavior of renumbering the records after an insert or delete. This allows a zone dump to proceed when record values that have already been read are deleted or inserts are made to the area the cursor has already transversed. More specifically, records ahead of the cursor will appear in the zone file as they are transversed, records altered behind the cursor are not seen so effectively the zone is frozen for dump purposes at the instant the cursor transverse it. With "Continuity" set true, a single unperterbed snapshot of the database is dumped to the zone file. However, this method will fail if records are added or removed during the dump. The dump will automatically retry 3 times. The practical aspect of this change is that it is as if the zone was read a minute or two earlier in the case of similtaneous database updates.
The old -C behavior is not desirable for large zones because it is not practical for the database to remain static long enough for a complete zone dump. The behavior is deprecated, the -C flag is provided to retain the old behavior if for some strange reason you find it desirable.
-r /path
Set the database root (aka) path to db environment home
(default: /var/run/dbtarpit)
-i filename
Set the tarpit database name (default: tarpit)
-j filename
Set the contrib database name (default: blcontrib)
-k filename
Set the evidence database name (default: evidence)
-h
Print the "short" help information and exit.
-?
Print the "short" help information and exit.
-p 53
Set the port number that
dnsbls
listens on. Default, standard DNS port 53.-d
Some people want to run
dnsbls
under the control of another process. This keepsdnsbls
from detaching and running as a daemon.-l
Logs any
dnsbls
activity to syslog.-v
Logs verbosely to syslog.
-o
This gives you the option to have
dnsbls
log information go to stdout instead of the syslog. This option also sets "-d".-V
Print version information and exit.
-T
This prints a bunch of diagnostic information an exits.
-P
Enable promiscious reporting of entries contributed to a tarpit based DNSBL server by remote DNSBL's. These entries are not normally reported by this DNSBL server because to do so could allow the addition of a blocked host to a network of contributing tarpit based DNSBL servers that could never be removed due to feed back between the servers. ENABLE this option only after careful consideration.
-g
Undocumented option used during development and testing. If your curiosity is just killing you then read the comments about is_tcp and tcpmode in ns.c, t/ns.t, and CTest.pm -- function t_mode.
SIGNALS
HUP logged if logging enabled, no action
TERM daemon exits
QUIT daemon exits
INT daemon exits
USR1 toggle logging
USR2 dump a zonfile to database home directory
with the name "[zonename].in". During
the dump, a temporary file named
"[zonename].in.tmp" is created
DATABASE CONFIGURATION FILE [optional]
Usually used to increase database cache size.
Most of the configuration information that can be specified to DB_ENV methods can also be specified using a configuration file. If an environment home directory has been specified (done by default or with the -r option to dnsbls
) any file named DB_CONFIG in the database home directory will be read for lines of the format NAME VALUE.
One or more whitespace characters are used to delimit the two parts of the line, and trailing whitespace characters are discarded. All empty lines or lines whose first character is a whitespace or hash (#) character will be ignored. Each line must specify both the NAME and the VALUE of the pair. The specific NAME VALUE pairs are documented in the Berkeley DB manual for the corresponding methods.
See: http://www.sleepycat.com/docs/ref/env/db_config.html
DATABASE FORMAT
dnsbls and IPTables::IPv4::DBTarpit::Tools use the Berkeley DB database. The database is of type BTREE, opened for concurrent access and sequential record access. These database files have similar formats.
Files: tarpit, blcontrib
Key: 32 bit packed network address as produced by inet_aton
Data: tarpit
32 bit unsigned integer, number of seconds since 1-1-70
blcontrib
32 bit packed network address as produced by inet_aton
which is the return code (127.xxx.xxx.xxx IP address)
returned as the A record for the query followed by a
null byte, followed by a null terminated ascii string
usually containing the "ERROR" message to be issued by
an querying mail server. Additional data are appended
the record after the the second null for use by other
members of the spamcannibal tool suite.
example: 'blcontrib'
$data = pack("a4 x A* x",inet_aton('127.0.0.3'),
"Error: blacklisted by http://www.some-bl.com";
($netaddr,$txt) = unpack("("a4 x a*",$data);
Database creation hints for 'C' api:
* environment flags *
u_int32_t eflags = DB_CREATE | DB_INIT_CDB | DB_INIT_MPOOL;
* db flags *
u_int32_t dflags = DB_CREATE;
u_int32_t info = DB_RECNUM;
DBTYPE type = DB_BTREE;
int mode = 0664;
environment and database open statements vary depending on the version of BerkeleyDB used. See the code in bdb.c for specifics.
Database creation hints for Perl api:
my %env = (
-Home => $self->{dbhome},
-Flags => DB_CREATE | DB_INIT_CDB | DB_INIT_MPOOL,
);
$self->{"_db_${db}"} = new BerkeleyDB::Btree
-Filename => $self->{dbfilename},
-Flags => DB_CREATE,
-Property => DB_RECNUM,
-Env => $self->{env}
or die "Cannot open database $db: $! $BerkeleyDB::Error\n" ;
NOTE: (in BIG LETTERS!)
Berkeley DB provides a "1" based numbering system for record numbers. i.e. the first record number is "1". By contrast, perl-BerkeleyDB is a "0" based numbering system with the first record number in the same database designated as "0". This means that a database read and written with the 'C' api will have its record numbers begin with "1" while the same database accessed with perl-BerkeleyDB will have record numbers starting with "0".
The IP address 127.0.0.0 is used in the "tarpit" database to store the serial number of the current SOA reported.
* STANDALONE SCRIPT EXAMPLES
DNSBLserver may be used as a standalone DNS server by adding and removing data from the 'tarpit' and 'blcontrib' databases. DNSBL reports entries found in both 'tarpit' + 'blcontrib' only if the "promiscous" (-P) flag is enabled on startup.
i.e. rc.dnsbls start -P
However, the 'blcontrib' database is optional and is used only to provide custom 'A' and 'TXT' record responses for listed IP addresses.
'tarpit' contains the IP addresses of black listed. If there is no corresponding entry in 'blcontrib', then DNSBLserver will report an 'A' record of 127.0.0.2 and a TXT record returning the required default ERROR message that was supplied when the daemon was started.
If there is a corresponding 'blcontrib' for a 'tarpit' entry, then DNSBLserver will report 'A' and 'TXT' records based on the content of the 'blcontrib' record. This may be set to "anything", however, the server will not respond to queries about this IP address unless the "promiscous" (-P) flag is set on the command line at start up. The only exception is that the server always reports 127.xxx.xxx.xxx entries.
These code snippets demonstrate how to insert data into the DNSBLS database. See the sc_admin.pl script in the Mail::SpamCannibal distribution for a more comprehensive example.
The following assumptions are made:
The database environment directory
dbhome /var/run/dbtarpit
primary database name 'tarpit'
secondary database name 'blcontrib'
#!/usr/bin/perl
# script snippet to insert data
use IPTables::IPv4::DBTarpit::Tools qw(
inet_aton
);
my %db_config = (
dbhome => '/var/run/dbtarpit',
dbfile => ['tarpit'],
txtfile => ['blcontrib'],
}
my $tool = new IPTables::IPv4::DBTarpit::Tools %db_config;
# add IP with time stamp NOW
$tool->touch('tarpit',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('tarpit');
# or add custom time stamp
# $tool->touch('tarpit',inet_aton(111.222.33.44),1059928115);
###
# to add custom 'A' and 'TXT' response
$tool->put('blcontrib',inet_aton('111.222.33.44'),
pack("a4 x A* x",inet_aton('127.0.0.6'),
"Error: for removal see foo.bar.com")));
# unneeded if db_close follows immediately
$tool->sync('blcontrib');
###
# to delete a record
$tool->remove('tarpit',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('tarpit');
$tool->remove('blcontrib',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('blcontrib');
$tool->db_close();
Addition of an IP address to the data base where one already exists simply overwrites the old one. Attempted removal of a non-existent entry is harmless.
All of the above functions are also available in the 'C' library interface. See the man (1) pages for libdbtarpit.
APPLICATIONS
... aahhh! now you come to the fun part.
Used with dbtarpit
, it "eats" the spammer for lunch. In less graphic terms, SpamCannibal is a set of tools that helps you identify the originating mail server for the spam message and add the offender's IP address to the tarpit. There are "trolling" tools to allow you to check the DNSBL databases for hits against dbtarpit's
archive database and a host of other goodies to help make life difficult for spammers. And of course, there is this DNSBL server which will allow you to provide information about what IP addresses are in your spam tarpit.
What happens to the spammer when his host hits the tarpit? Well... when a mass mailer hits the tarpit, the thread that is sending mail freezes and will not deliver any further spam until it is detached (usually manually) from the tarpit. Mail sending programs deliver a large number of addresses to the remote receiver which accepts the mail for those domains for which they have records while ignoring the rest. Tarpitting the sender has the effect of not only stopping the delivery of spam for YOUR domain, but all other domains which may be in the sending thread's output stream. Sure it's only one thread, but if there are lots of spam tarpits then lots of spam threads will get trapped and the cost of sending spam will rise. That's a GOOD thing :-)
I'm sure you can think of many other applications, but this one is on the top of my list.
AUTHOR
Michael Robinton <michael@bizsystems.com>
COPYRIGHT AND LICENCE
Copyright 2003 - 2014, Michael Robinton <michael@bizsystems.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.