[rbldnsd] enhanced dnset

amos at treenetnz.com amos at treenetnz.com
Thu Nov 24 05:12:26 MSK 2005 

> one feature I am going to add into rbldnsd is PCRE or similar
> support into dnset (probably dstype named as "dnsetenh" or something).
>
> I maintain dynamic/dhcp etc IP address list and list of dynamic/generic
> domains.  I checked what's left from CBL's 150000-200000 daily new trojans
> when you take out the dynamic ones and those having badly configured
> DNS...
>
> I am left with around 1000 IP addresses (around 99.5% rejected),
> of which more than 2/3 have the IP address in the PTR record as decimal,
> hex or roman(!!!).
> Most of these belong to telcos who don't know what kind of system
> the IP address belongs to so they don't use *.dsl.dyn.idiotisp.biz or
> something sane I could match with rbldnsd dnset.
>
> I started collecting these "generic" domainnames a week ago
> and list now has 1100 entries...
> For example:
> 216.145.224.209=216-145-224-209.dls.net
>
> So, I thought I could modify rbldnsd this way:
> in dnsetenh configuration file I give
> dls.net optionaltextrecordhere:\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.dls\.net
>
> when rbldnsd gets query about 216-145-224-209.dls.net.dnsetenhdomainhere
> it finds that dls.net has TXT record "optionaltextrecordhere" and
> PCRE pattern "\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.dls\.net"
> and it tries PCRE match for "216-145-224-209.dls.net".
> Pattern matches and rbldnsd gives out the TXT record
> optionaltextrecordhere.
> If it does not match, it gives out NXDOMAIN.
>
> if you don't want to give TXT record, use
> dls.net :\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.dls\.net
> (PCRE pattern is always the latest field delimeted by ':').
>
> Does this sound sane?
> Free tips'n'tricks?
>

It sounds like you are just wanting to complicate the '.dls.net' pattern
already existing in rbldnsd. You will need to give some thought to whether
it is better to simply use:
..dls.net   bad example
!www.dls.net
!.dyn.dls.net

If you are intent on going ahead with this. You would be best keeping
compatible with the file format and naming conventions used by the other
sets. That is to have the set name like pcreset, and the file format of:
<pattern> ((:code:)? txt)?

You could as or more easily hold the <pattern> alternates in a dictionary
tree and match down a branch in a single operation as doing it twice (base
name search, then pattern confirmation search) and that will remove the
unusual format of two patterns in each line.

watch out for the infinite wildcard patterns though.

AJ

More information about the rbldnsd mailing list