DNSDB Blocklist (DNSBL) Tutorial¶
With rbldnsd and BIND 9.9 on Debian 8.x
A DNS Black List (DNSBL) can be used to convey information about IP addresses or hostnames over DNS. Mail Servers and Anti-Spam software can be configured to leverage a DNSBL to make delivery or scoring decisions.
This tutorial demonstrates how to:
- Configure a Caching Nameserver using BIND 9.9.x
- Configure rbldnsd to serve the DNSBL zone v1.bl.dns-nod.net
- Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd
- Configure rbldnsd to load the Farsight NOD DNSBL dataset
Requirements¶
- Debian 8.x
- root or sudo privileges
- Provisioned for NOD DNSBL by Farsight Security
- A username provided by Farsight Security
- Firewall: Outbound TCP port 49222 to rsync.dns-nod.net:
- 104.244.13.85
- 216.66.15.100
- 104.244.14.85
- 216.156.194.100
- A 4096 bit SSH key pair
- The IP address(es) of the host that will be connecting to Farsight Security
Prerequisites¶
- Start with a clean install of Debian 8.x. For testing purposes a
virtual machine with 1 CPU and 1GB of memory would be adequate. - A NOD DNSBL username provided by Farsight Security
Setup Instructions¶
NOD user account and associated SSH key¶
During the provisioning process of NOD DNSBL you will be asked to provided Farsight Security with a public SSH key and an IP address. You can complete these steps prior to the provisioning process to be prepared to provide a public SSH key to Farsight Security.
Create a user account named nod¶
Create an SSH key pair¶
Become the nod user to create an SSH key pair associated with the nod user account that will ultimately used with SSH and rsync
Create an SSH key¶
Create an SSH key to be used to connect to Farsight Security resources. Do not create a password for the SSH key.
Provide the public ssh key¶
During the provisioning process with Farsight Security you will be asked to provide the public ssh key. Example:
Log out of the nod user¶
Install and configure BIND 9¶
This tutorial uses BIND as a recursive caching server and a forwarding server.
Install BIND 9¶
Configure BIND to be a recursive caching DNS Server¶
Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization.
Add the following within options directive
named.conf.options should look like:
acl allowrecursion {
192.168.0.0/16;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { localnetwork; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Configure BIND to forward queries¶
Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd running on port 5053.
add:
Check the syntax of the BIND configuration files¶
Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.
Restart BIND¶
Verify BIND is listening on localhost¶
Verify BIND is listening on localhost and is working as a caching server
$ dig @localhost indiana.edu
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost indiana.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30876
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;indiana.edu. IN A
;; ANSWER SECTION:
indiana.edu. 3534 IN A 129.79.78.193
indiana.edu. 3534 IN A 129.79.78.192
;; AUTHORITY SECTION:
indiana.edu. 3534 IN NS dns1.illinois.edu.
indiana.edu. 3534 IN NS dns1.iu.edu.
indiana.edu. 3534 IN NS dns2.iu.edu.
;; ADDITIONAL SECTION:
dns1.iu.edu. 172734 IN A 134.68.220.8
dns1.illinois.edu. 172734 IN A 130.126.2.100
dns1.illinois.edu. 172734 IN AAAA 2620:0:e00:b::53
dns2.iu.edu. 172734 IN A 129.79.1.8
dns2.iu.edu. 172734 IN AAAA 2001:18e8:2:8::10
;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Jun 20 14:12:04 EDT 2016
;; MSG SIZE rcvd: 245
Note: ;; Server: ... should be the localhost ip address
Install rsync¶
Configure rsync to download the NOD rbldns data files¶
Become the nod user to setup rsync¶
Create an SSH configuration file¶
Create a SSH configuration file to be used with the rsync process
Copy and paste the following, be sure to replace username with the username given to you by Farsight Security.
Host rsync.dns-nod.net
User
IdentityFile ~/.ssh/farsight_security
HostKeyAlias rsync.dns-nod.net
Port 49222
Create directories¶
Create a directories to store the NOD DNSBL files and binaries
$ ls -l /home/nod/
total 8
drwxr-xr-x 2 nod nod 4096 Jun 21 13:34 bin
drwxr-xr-x 3 nod nod 4096 Jun 21 13:33 data
Create a bin directory in /home/nod¶
bash script¶
Create a bash script in /home/nod/bin to rsync the NOD DNSBL data from Farsight Security. This script uses /usr/bin/flock to ensure there are not multiple rsync commands running concurrently.
Copy and paste the following
#!/bin/bash
set -e
/usr/bin/flock -n /home/nod/bin -c "/usr/bin/rsync -tq -e ssh --timeout=10 -az \
rsync.dns-nod.net:nod/v1/nod.rbldnsd /home/nod/data/nod/v1"
Populate the SSH known_hosts file¶
Populate the SSH known_hosts file with fingerprints for rsync.dns-nod.net
Test the rsync shell script¶
Verify nod.rbldnsd was fetched correctly¶
# Newly-Observed Domains List
# (c) 2016 Farsight Security Inc. https://www.farsightsecurity.com
# All rights reserved.
# Sales inquiries to sales@farsightsecurity.com
# Technical support requests to nod@farsightsecurity.com
# Published by nod2 running version 1.26.0 at 2016-06-30T12:51:55.294865+00:00
$SOA 86400 a.ns.dns-nod.net nod-admin.fsi.io. 1467291115 600 300 86400 300
$TIMESTAMP 2016:06:30:12:51:55
# $NS 86400 a.ns.dns-nod.net b.ns.dns-nod.net
Log out of the nod user again¶
Create a cron job to run the rsync script every minute¶
Copy and paste the following
#!/bin/sh
# /etc/cron.d/nod-rsync: Farsight NOD rsync script
* * * * * nod /bin/bash /home/nod/bin/nod-rsync.sh
Update the permissions of the file
Install and configure rbldnsd¶
Install rbldnsd¶
Configure rbldnsd¶
Copy and paste the following to the bottom of the file:
Start rbldnsd¶
Test rbldnsd¶
Test rbldnsd to verify it is serving Farsight NOD DNSBL data correctly.
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost -p 5053 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A
;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A 127.0.0.8
;; Query time: 3 msec
;; SERVER: ::1#5053(::1)
;; WHEN: Thu Jun 30 18:12:36 EDT 2016
;; MSG SIZE rcvd: 70
Test BIND¶
Test BIND to verify it is forwarding the v1.bl.dns-nod.net zone correctly.
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A
;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A 127.0.0.8
;; AUTHORITY SECTION:
...
...
Troubleshooting¶
You should see messages like this in /var/log/syslog if rsync and rbldnsd are configured correctly