dnsbls -- a lightweight nameserver based on BDB
distributed as perl module Mail::SpamCannibal::DNSBLserver
dnsbls [options]...
There is no perl module for dnsbls. This is a documentation shell.
See the IPTables::IPv4::DBTarpit::Tools manpage
to manipulate and examine the dnsbls database(s).
dnsbls is a C daemon that is a specialized name server providing
DNSBL domain name services for the Mail::SpamCannibal set of programs from their
database implemented using the Berkeley DB database found
in all Linux distributions. dnsbls is configured for
concurrent use of the database, allowing similtaneous access and update
of the database by other applications.
dnsbls returns A, NS, MX, TXT, SOA, and optionally AXFR records about its
immediate environment and numeric records in its tarpit and blcontrib
databases. Ordinary A, NS, MX, and SOA records are returned for the
environment while unique A and TXT records are returned when queried about
numeric hosts.
query about 172.16.12.34 look up 34.12.16.172.bl.spamcannibal.com
127.0.0.2 added by this installation for spam violations 127.0.0.X added because it was found on another DNSBL list
TXT records are available for each numeric record returned. For return records of 127.0.0.2, a default message is returned that was specified with the command line -e option (more below). If the IP address is listed in the blcontrib database, then the text message found there is returned in the TXT message.
Typically, rather than query for an A record, a query for type ANY will return both the A record and the TXT record if the target IP address is found in the DNSBL's databases.
To build the dnsbls daemon type the following:
perl Makefile.PL make make test make install
To restore the default directory configurations type:
rm config.db
Adjust the permissions for ``dnsbls'' and its installation directories. This is not done automatically since it may involve system directories.
Copy <install/directory>/config/dnsbls.conf.sample to <install/directory>/config/dnsbls.conf
and edit the configuration to fit your site.
The Berkeley DB environment and databases can be created automatically. However it is recommend that you use the B<initdb.pl> script in the ..../Mail/SpamCannibal distribution directory. Adjust the permissions of the files and directories so that they are accessible by the various applications that will be using the information in the databases.
Lastly, copy rc.dnsbls to your startup directory so it is executed at boot up as:
rc.dnsbls start
Because the dnsbls daemon has only concurrent access to the
database, applications should not be written which use db->cursor
operations these can block dameon access for normal put and sync operations.
Instead, use repetitive read-by-record-number operations to gain sequential access
to the data.
The script sc_zoneload can be used to load a BIND zone file or a file created by the BIND 'dig' utility or the Net::DNS::ToolKit - dig.pl utility into the dnsbls database. Please note that ALL 127.0.0.2 RESPONSES ARE CONVERTED TO 127.0.0.3 unless the -e switch is used with this utility. See ``DNS query format'' above.
Berkeley DB 2.6.4 http://www.sleepycat.com/
for testing and sc_zoneload support
Net::DNS::Codes, version 0.06
Net::DNS::ToolKit, version 0.07
IPTables::IPv4::DBTarpit::Tools, version 0.11
Options: -z : Zone Name: bl.domain.com [default: this hostname] -n : Name Servers: abc.domain.com (Note 1) -N : same as -n, but sets host name (Note 1) -a : NS Address xxx.xxx.xxx.xxx [default: lookup via DNS] ...there can be more than one set of entrys -n : Another NS dul.domain.com (up to 15) -a : eth0 NS Address yyy.yyy.yyy.yyy -a : eth1 another NS Address (up to 10) -m : 10 mark preference for MX entry (Note 2)
-s : 60 : SOA negative caching interval -u : 43200 : SOA update/refresh interval -y : 3600 : SOA retry interval -x : 86400 : SOA expire -t : 10800 : SOA ttl/minimum
-c : SOA zone contact: contact@somewhere.com
-e : ERROR: this RBL's error message "http://....."; -b : Block AXFR transfers -L : Limit zonefile build transfer rate (default 200,000 cps) -C : Continuity (default allow zonefile discontinuity) -r : Alternate DB root directory [default: /var/run/dbtarpit] -i : Alternate tarpit DB file [default: tarpit] -j : Alternate contrib DB file [default: blcontrib] -k : Alternate evidence DB file [default: evidence]
-p : Port number [default: 53] -d : Do NOT detach process. -l : Log activity to syslog (Note 3) -v : Verbose logging to syslog -o : Output to stdout instead of syslog (Note 4) -V : Print version information and exit -T : Test mode - Print out debug info and exit -P : Enable promiscious reporting of contributed entries (Note 5) -g : Internal test flag - tcpmode, see ns.c, t/ns.t, CTest.pm::t_mode -h : Print this help information -? : Print this help information Note 1: Name servers must be specified on the command line since this is the server that will ultimately answer requests for NS information about this zone. If the name server is another host, you don't have to specify the IP address(es). If not specified on the command line, IP address(es) will be retrieved via a DNS query. Your resolver must work! Use the -N switch to set to SOA host name as well as the IP address reported for the dnsbls host. If not set in this manner, it will default to the host name. Multiple NS entries may be made (up to 15), each with multiple IP addresses (up to 10). IP address entries must follow their NS entry and appear before the next subsequent NS entry. Continuation lines may be used as a convenience if the line length gets too long Note 2: MX (mail server) records are entered in the same manner as NS records. The -m (NN) option is specified on the command line following either the name entry, -n foo.bar.com, or address entry, -a xx.xx.xx.xx, if used. Note 3: 'kill -USR1 <dnsbls_PID>' to toggle logging on and off. If logging was not enabled at start this sets the '-l' flag If logging (-l | -v) are set this saves the value and turns off logging If logging is presently toggled off it restores the saved level (-l | -v) Note 4: This sends log information to stdout rather than to syslog. This option also implies and sets the -d option (Do NOT detach process). Note 5: Entries contributed to the tarpit by remote DNSBL's are not normally reported by this DNSBL server. To do so would allow the addition of a blocked host to a network of contributing tarpit based DNSBL servers that could never be removed due to feed back between the servers. ENABLE this option only after careful consideration.
i.e. thishost.foo.bar.com
address(es) are not specified on the command line with
the -a option, they will be retrieved via a DNS query. Your resolver must
work!
Multiple NS or MX entries may be made (up to 15), each with multiple IP addresses (up to 10 each). See the entry for option -a below.
If an IP address is not specified for an NS or MX record, it will be retrieved using a DNS query.
Continuation lines may be used as a convenience if the line length gets too long.
i.e.
dnsbls -n ns1.spamcannibal.com -a 172.16.2.123 \
-a 192.168.3.4
i.e. dnsbls -n mx1.spamcannibal.com -m 10 -a 172.16.2.124 -m : 10 mark preference for MX entry (Note 2)
default 0
default 43200
default 3600
default 86400
default 10800
"ERROR: connection tarpited. See: http://www.my.blacklist.org";
dnsbls from answering AXFR requests. If you
wish to allow zone transfers or zone transfers to approved domains, it is
recommended that you run dnsbls behind a firewall and use a standard DNS
server as a secondary to provide service to the internet.
default 200,000 characters per second
This feature may be disabled by setting it to '0'
i.e. ... -L 0
The old -C behavior is not desirable for large zones because it is not practical for the database to remain static long enough for a complete zone dump. The behavior is deprecated, the -C flag is provided to retain the old behavior if for some strange reason you find it desirable.
(default: /var/run/dbtarpit)
dnsbls listens on. Default, standard DNS port 53.
dnsbls under the control of another process. This
keeps dnsbls from detaching and running as a daemon.
dnsbls activity to syslog.
dnsbls log information go to
stdout instead of the syslog. This option also sets ``-d''.
HUP logged if logging enabled, no action
TERM daemon exits
QUIT daemon exits
INT daemon exits
USR1 toggle logging
USR2 dump a zonfile to database home directory
with the name "[zonename].in". During
the dump, a temporary file named
"[zonename].in.tmp" is created
Usually used to increase database cache size.
Most of the configuration information that can be specified to
DB_ENV methods can also be specified using a configuration file.
If an environment home directory has been specified (done by default or
with the -r option to dnsbls) any file named DB_CONFIG in the
database home directory will be read for lines of the format NAME VALUE.
One or more whitespace characters are used to delimit the two parts of the line, and trailing whitespace characters are discarded. All empty lines or lines whose first character is a whitespace or hash (#) character will be ignored. Each line must specify both the NAME and the VALUE of the pair. The specific NAME VALUE pairs are documented in the Berkeley DB manual for the corresponding methods.
See: http://www.sleepycat.com/docs/ref/env/db_config.html
dnsbls and IPTables::IPv4::DBTarpit::Tools use the Berkeley DB database. The database is of type BTREE, opened for concurrent access and sequential record access. These database files have similar formats.
Files: tarpit, blcontrib
Key: 32 bit packed network address as produced by inet_aton
Data: tarpit
32 bit unsigned integer, number of seconds since 1-1-70
blcontrib
32 bit packed network address as produced by inet_aton
which is the return code (127.xxx.xxx.xxx IP address)
returned as the A record for the query followed by a
null byte, followed by a null terminated ascii string
usually containing the "ERROR" message to be issued by
an querying mail server. Additional data are appended
the record after the the second null for use by other
members of the spamcannibal tool suite.
example: 'blcontrib'
$data = pack("a4 x A* x",inet_aton('127.0.0.3'),
"Error: blacklisted by http://www.some-bl.com";;
($netaddr,$txt) = unpack("("a4 x a*",$data);
Database creation hints for 'C' api:
* environment flags *
u_int32_t eflags = DB_CREATE | DB_INIT_CDB | DB_INIT_MPOOL;
* db flags *
u_int32_t dflags = DB_CREATE;
u_int32_t info = DB_RECNUM;
DBTYPE type = DB_BTREE;
int mode = 0664;
environment and database open statements vary depending on the version of BerkeleyDB used. See the code in bdb.c for specifics.
Database creation hints for Perl api:
my %env = (
-Home => $self->{dbhome},
-Flags => DB_CREATE | DB_INIT_CDB | DB_INIT_MPOOL,
);
$self->{"_db_${db}"} = new BerkeleyDB::Btree
-Filename => $self->{dbfilename},
-Flags => DB_CREATE,
-Property => DB_RECNUM,
-Env => $self->{env}
or die "Cannot open database $db: $! $BerkeleyDB::Error\n" ;
NOTE: (in BIG LETTERS!)
Berkeley DB provides a ``1'' based numbering system for record numbers. i.e. the first record number is ``1''. By contrast, perl-BerkeleyDB is a ``0'' based numbering system with the first record number in the same database designated as ``0''. This means that a database read and written with the 'C' api will have its record numbers begin with ``1'' while the same database accessed with perl-BerkeleyDB will have record numbers starting with ``0''.
The IP address 127.0.0.0 is used in the ``tarpit'' database to store the serial number of the current SOA reported.
DNSBLserver may be used as a standalone DNS server by adding and removing data from the 'tarpit' and 'blcontrib' databases. DNSBL reports entries found in both 'tarpit' + 'blcontrib' only if the ``promiscous'' (-P) flag is enabled on startup.
i.e. rc.dnsbls start -P
However, the 'blcontrib' database is optional and is used only to provide custom 'A' and 'TXT' record responses for listed IP addresses.
'tarpit' contains the IP addresses of black listed. If there is no corresponding entry in 'blcontrib', then DNSBLserver will report an 'A' record of 127.0.0.2 and a TXT record returning the required default ERROR message that was supplied when the daemon was started.
If there is a corresponding 'blcontrib' for a 'tarpit' entry, then DNSBLserver will report 'A' and 'TXT' records based on the content of the 'blcontrib' record. This may be set to ``anything'', however, the server will not respond to queries about this IP address unless the ``promiscous'' (-P) flag is set on the command line at start up. The only exception is that the server always reports 127.xxx.xxx.xxx entries.
These code snippets demonstrate how to insert data into the DNSBLS database. See the sc_admin.pl script in the Mail::SpamCannibal distribution for a more comprehensive example.
The following assumptions are made:
The database environment directory dbhome /var/run/dbtarpit
primary database name 'tarpit'
secondary database name 'blcontrib'
#!/usr/bin/perl # script snippet to insert data
use IPTables::IPv4::DBTarpit::Tools qw(
inet_aton
);
my %db_config = (
dbhome => '/var/run/dbtarpit',
dbfile => ['tarpit'],
txtfile => ['blcontrib'],
}
my $tool = new IPTables::IPv4::DBTarpit::Tools %db_config;
# add IP with time stamp NOW
$tool->touch('tarpit',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('tarpit');
# or add custom time stamp
# $tool->touch('tarpit',inet_aton(111.222.33.44),1059928115);
###
# to add custom 'A' and 'TXT' response
$tool->put('blcontrib',inet_aton('111.222.33.44'),
pack("a4 x A* x",inet_aton('127.0.0.6'),
"Error: for removal see foo.bar.com")));
# unneeded if db_close follows immediately
$tool->sync('blcontrib');
###
# to delete a record
$tool->remove('tarpit',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('tarpit');
$tool->remove('blcontrib',inet_aton('111.222.33.44'));
# unneeded if db_close follows immediately
$tool->sync('blcontrib');
$tool->db_close();
Addition of an IP address to the data base where one already exists simply overwrites the old one. Attempted removal of a non-existent entry is harmless.
All of the above functions are also available in the 'C' library interface. See the man (1) pages for libdbtarpit.
... aahhh! now you come to the fun part.
See the Mail::SpamCannibal manpage
Used with dbtarpit, it ``eats'' the spammer for lunch. In less graphic
terms, SpamCannibal is a set of tools that helps you identify the
originating mail server for the spam message and add the offender's IP
address to the tarpit. There are ``trolling'' tools to allow you to check the
DNSBL databases for hits against dbtarpit's archive database and a host of
other goodies to help make life difficult for spammers. And of course, there
is this DNSBL server which will allow you to provide information about what IP
addresses are in your spam tarpit.
What happens to the spammer when his host hits the tarpit? Well... when a mass mailer hits the tarpit, the thread that is sending mail freezes and will not deliver any further spam until it is detached (usually manually) from the tarpit. Mail sending programs deliver a large number of addresses to the remote receiver which accepts the mail for those domains for which they have records while ignoring the rest. Tarpitting the sender has the effect of not only stopping the delivery of spam for YOUR domain, but all other domains which may be in the sending thread's output stream. Sure it's only one thread, but if there are lots of spam tarpits then lots of spam threads will get trapped and the cost of sending spam will rise. That's a GOOD thing :-)
I'm sure you can think of many other applications, but this one is on the top of my list.
Michael Robinton <michael@bizsystems.com>
Copyright 2003 - 2009, Michael Robinton <michael@bizsystems.com>
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.