[rbldnsd] Announce: experimental rbldnsd-0.994.92: EDNS0 and ACL support

Amos Jeffries amos at treenetnz.com
Sun Apr 17 09:32:47 MSD 2005 

Michael Tokarev wrote:
> Together with a bugfix 0.994b release, I also uploaded
> experimental (aka "pre") release 0.994.92, the code which
> eventually become 0.995 version.  This is a development
> snapshot intended to show what's going on, for comments
> and testing, NOT for production usage.
> 
<snip>
> 
> Several words about ACLs.  The thing looks like:
> 
>  rbldnsd ... bl.ex.com:ip4set:bldata bl.ex.com:acl:acldata ...
> 
> Ie, there's a new dataset type named "acl", which is NOT included into
> the zone, but instead controls which clients receives which treatment.
> Only one acl-type dataset can be specified for a given zone (rbldnsd
> will complain if more are specified).  It is possible to specify
> global acl too, by omitting the zone name, like:
> 
>  rbldnsd ... bl.ex.com:ip4set:bldata :acl:acldata ...
> 
> (note the leading colon before "acl...").
> 
> Content of `acldata' file is pretty like the one of ip4trie, ie,
> CIDRs and "values", where "value" can be one of:
> 
>  :ignore -- to mean ignore all queries made from the given CIDR
>  :refuse -- to mean refuse all queries from the given range
>  :empty  -- for queries from the range, pretend no entries are
>    listed in a dnsbl at all
>  usual_A+TXT_template -- always return this template to valid
>    dnsbl queries made from the given range.
> 

Two questions:

1) If we supply an ACL file that is essentially a zone file with a 
default ACL response at the top will it be accepted as a valid ACL?
(without a response type on each line).

ie:
#deny ACL
:refuse
127.0.0.0/8
10.0.0.0/8
252.0.0.0/8
# end ACL


2) One of the best uses of ACL is to deny DDoS from zombies.
In that case might it be simpler be to have an entry like
"  $ACL <zone> <action>  " as a single dataset ACL?
meaning, that any client listed in the dataset <zone> has <action> done 
to its queries.


> First two are terminates processing immediately - rbldnsd either
> "forgots" about the packet or just returns REFUSED, without
> looking further.
> 
> But the last two are more "intelligent": rbldnsd tries to determine
> whenever the query was for DNSBL data (all "real" dnsbl datasets --
> ip4set, ip4tset, ip4trie, dnset) or for metadata, including generic
> dataset and all the normal NS+SOA records.  In the later case,
> rbldnsd still constructs the reply as if there was no ACL.  But
> if it was a valid DNSBL query, result will contain no A+TXT data
> at all (even if the object/entry being queried is in fact listed)
> or will contain A+TXT specified by the ACL (even if the entry is
> not listed, or listed with different data).
> 
> In the later case ("pretend-all-listed"), $-substitutes are made
> using the IP address of the client, not the one contained in the
> query.
> 
> For now, the ACL system only supports IPv4 addresses.  IPv6 addresses
> will be supported together with the first ip6something dataset,
> in some probably distant future.
> 
> This whole ACL stuff is new, and is subject to changes/refiniments.
> I don't yet know whenever current functionality fits current (and
> especially future ;) demands.  Comments are welcome.
> 
> As usual, rbldnsd homepage is at
>  http://www.corpit.ru/mjt/rbldnsd.html
> All prereleases are at
>   http://www.corpit.ru/mjt/pre/
> 
> /mjt
> 
> /mjt
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
> 


Amos Jeffries
amos at treenetnz.com
021 293 4049

Treehouse Networks Ltd
www.treenetnz.com

-- 
We are fast approaching the time when "packets from a M$ operating 
system" is synonymous with "hostile behavior".

More information about the rbldnsd mailing list