try to create manually updating RBL on 2000 DNS

[Jeremy Sun]

I have to admit that I have no idea how to create a realtime black lists or
what an RBL really is.

I have done the following:

Part 1
1) Set up DNS on a standalone 2000 server
2) Create a Forward Zone and name it say, "blackhole"
3) Download a zone list from the www.blackholes.us
4) Update the entries into c:\winnt\system32\dns\blackhole.dns according to
the list by a simply cut and paste
5) Refresh the zone
6) Everything looks good

Part 2
1) Update my email software who was previously working with 3 others public
rbl list
2) remove 1 least-used public list and add my DNS (the same computer so I
just type in 127.0.0.1)
3) unblock (by name) certain rubbish mail that I am sure their IPs are on my
new DNS

.... and these rubbish mail get through, ignoring my new settings

Now suppose that I did not do anything wrong in Part 2.

Question

1) Am I an idiot to assume the "RBL base on DNS theory" is equal to "RBL is
the same as DNS servicing difference clients"?
2) Did I do something wrong in Part 1?
3) Any information you can point me to, related to RBL and Windows DNS that
is NOT involving with Exchange server?

Many many thanks,
Jeremy

 

[Herb Martin]

I have to admit that I have no idea how to create a realtime black lists or
what an RBL really is.

Then you problably do NOT want to "create" one but
rather use and existing one.

While it is possible to create your own, you will likely
do better by using a (semi-)professionally maintained
list (or multiple lists.)

I have done the following:

Part 1
1) Set up DNS on a standalone 2000 server
2) Create a Forward Zone and name it say, "blackhole"

Ok, but a more normal name would be Blackhold.local
or even RBS.YourDomain.Com (a child of some other
domain)

3) Download a zone list from the www.blackholes.us

4) Update the entries into c:\winnt\system32\dns\blackhole.dns according to
the list by a simply cut and paste
5) Refresh the zone
6) Everything looks good

Part 2
1) Update my email software who was previously working with 3 others public
rbl list
2) remove 1 least-used public list and add my DNS (the same computer so I
just type in 127.0.0.1)

No, you need to add that ZONE-domain name you used
above (BlackHole or a better name as per my suggestion).

The SMTP software will look up the IP + .ZoneName

And if this zone you created is NOT properly delegated
on the Internet/internetwork (like your BlackHole and
my example blackhole.local) then you must ensure that
your SMTP server uses the same DNS as holds the zone
(or one that will find the zone through delegation, forwarding,
etc.)

3) unblock (by name) certain rubbish mail that I am sure their IPs are on my
new DNS

I don't understand why you would "unblock ... rubbish" and not
the other way around, e.g., unblock good stuff, or block rubbish.

... and these rubbish mail get through, ignoring my new settings

Normally the presence of the record in the blackhole
list is what causes your SMTP to block it. (This depends
a BIT on the address-type of record and how sophisticated your
SMTP.)

Now suppose that I did not do anything wrong in Part 2.

Actually it is part 2 where you made at least one mistake
and may have that other (unblock) misunderstanding.

Question

1) Am I an idiot to assume the "RBL base on DNS theory" is equal to "RBL is
the same as DNS servicing difference clients"?

It I understood the above sentence I might be able to
answer <grin>.

But taking a guess and cleaning it up a bit: RBL is based
on DNS theory, but uses DNS in ways that are not common
outside of RBL, perfectly legal ways, but nevertheless quite
odd from a "classical DNS perspective."

The same can be said for Active Directory and DNS if you
take out the word "quite" and put in "a bit" (uncommon that is.)

2) Did I do something wrong in Part 1?

Probably not other than choosing a poor zone name
which may lead to misunderstandings AND the actual
error in part 2.

3) Any information you can point me to, related to RBL and Windows DNS that
is NOT involving with Exchange server?

Why are you trying to run your "own RBL zone"?

Seriously, to make this work you will have to do
constant work on it.

I would understand better if you were just going to
add a FEW additional blocks that don't already
appear in your other (commercial/public) RBL
zones.

 

[Jeremy Sun]

Still not working after making changes.

While it is possible to create your own, you will likely
do better by using a (semi-)professionally maintained
list (or multiple lists.)

I want to block some IP addresses. I figured having a semi-permanent IP
blocking list is a better idea than our current "sender name" blocking list
which is going over 6000 items while many of them are simply spoof-names.

Ok, but a more normal name would be Blackhold.local
or even RBS.YourDomain.Com (a child of some other
domain)

A good point. Actually I changed the zone name to the computer name (say,
let it be "ComputerName" for later reference) and made sure that when I
nslookup, say, IPd.IPc.IPb.IPa.ComputerName, I have a good reply, from the
smtp server. I have added a computerName.local zone. However when I tried to
ping computerName.local I have an unknown-computer reply. I guess it is
something to do with the difference between windows and unix/linux.

Then you do know how to create one <grin>

It is good to know that I have done the right thing.

No, you need to add that ZONE-domain name you used
above (BlackHole or a better name as per my suggestion).

Just did that. I put in "ComputerName".

The SMTP software will look up the IP + .ZoneName

And if this zone you created is NOT properly delegated
on the Internet/internetwork (like your BlackHole and
my example blackhole.local) then you must ensure that
your SMTP server uses the same DNS as holds the zone
(or one that will find the zone through delegation, forwarding,
etc.)

No. They aren't using the same DNS but since I can nslookup entries from the
rbl I guess it is ok.

I don't understand why you would "unblock ... rubbish" and not
the other way around, e.g., unblock good stuff, or block rubbish.

I didn't made myself clear. I stop the "sender name" blocking list so that
rubbish mail will be tested against the new rbl.

..
..
..

It I understood the above sentence I might be able to
answer <grin>.

But taking a guess and cleaning it up a bit: RBL is based
on DNS theory, but uses DNS in ways that are not common
outside of RBL, perfectly legal ways, but nevertheless quite
odd from a "classical DNS perspective."

The same can be said for Active Directory and DNS if you
take out the word "quite" and put in "a bit" (uncommon that is.)

It was simply that I had no idea what a rbl is. I was not sure that I could
use a normal DNS to build up an rbl. Now I do.

Probably not other than choosing a poor zone name
which may lead to misunderstandings AND the actual
error in part 2.

Mmmmm... Now I got that fixed and something is still going wrong.

Why are you trying to run your "own RBL zone"?

Seriously, to make this work you will have to do
constant work on it.

I am already doing constant work on it... updating sender blocking list,
man...

Some IPs are definitely wanted to be blocked. You know these spammers comes
from China is just crazy but I can't simply blocked the whole damn thing.

I would understand better if you were just going to
add a FEW additional blocks that don't already
appear in your other (commercial/public) RBL
zones.

I am trying to block gmail. I figured no one from my domain received any
mails from gmail (yet) so I use my gmail account as my testing subject.

I will summarise my information below:

1) Windows 2000 standalone server with latest everything hot-fixed
2) the same server has a SMTP service with buildin spam detection / supprt
such as sender name blocking and rbl support
3) using another DNS on the network, before and after the rbl is setup.
4) I have a this new rbl / dns setup in the same server.
5) rbl / dns zone name "ComputerName"
6) smtp rbl settings point to "ComputerName"
7) not working

Any more clue?

 

[Jeremy Sun]

I have add a second zone called ComputerName.DomainName with the same
content as the first one.
Change the rbl entry in my smtp server to ComputerName.DomainName.

I did a ping on ComputerName.DomainName and it looks ok.

I did an nslookup 201.184.233.64.ComputerName.DomainName and I am able to
get a reply. Name: 201.184.233.64.ComputerName.DomainName Address: 127.0.0.2

However mails coming from 64.233.184.201 are still getting through...

 

[Jeremy Sun]

I did a little check with the DNS logs... no verification was ever done.

Then I notice that the smtp services rbl reference says "Real Time Blocking
List Domain Name".

May be I should point the DNS client to the local DNS server. Then forward
the DNS servers to the original DNS?

 

[Jeremy Sun]

I have figured it out...

I need a reboot to get it working... service restart just won't do...

Anyway thanks for analyzing my process. That is a great help. I really
appreciate it.

Wish you a good day.

Best Regards,
Jeremy.

 

[Herb Martin]

Still not working after making changes.

Then you have likely dones something wrong
in the zone configuratio (based on your first
message.)

I want to block some IP addresses. I figured having a semi-permanent IP
blocking list is a better idea than our current "sender name" blocking list
which is going over 6000 items while many of them are simply spoof-names.

If you want to block IP addresses, you can just do that
with a filter like IPSec and your SMTP server will never
even see the connect request.

The main point of RBL is the "real time" -- it's that someone
is maintaining these lists on at least a day-to-day basis.

A good point. Actually I changed the zone name to the computer name (say,
let it be "ComputerName" for later reference)

Probably not a great name choice either.
Did you name it "computer" (single tag) or "computer.domain.com"?

Does the computer and especially the SMTP server use
this same machine for it's DNS server?

If not, you must properly delegate the created zone
to this machine so that it will be found.

and made sure that when I
nslookup, say, IPd.IPc.IPb.IPa.ComputerName,

Why are you doing d->a, instead of a-d?

This is NOT a reverse zone.

Only reverse zones reverse the octets (for delegation
reasons.)

Some SMTP servers have a configuratio for DNS
separate from the machine on which they run, check
to make sure your SMTP server is using the same
DNS as the NSLookup command is using.

I have a good reply, from the
smtp server. I have added a computerName.local zone.

Then you would have to put the names (IPs) in there
and tell the SMTP server to use "computername.local"
as it's RBL.

If the zone is named "something.whatever" you tell
the SMTP server precisely that.

However when I tried to
ping computerName.local I have an unknown-computer reply.

There would need to be an A record for that
name in order to ping it (or a CNAME pointing
to an A-record with an IP.)

I guess it is
something to do with the difference between windows and unix/linux.

No, for the most part DNS is DNS.

(They have some different special features on the
two OSes, but the basic functionality and the concepts
are the same.)

So fare, I haven't asked you which you are using since
it didn't matter to the answers I am giving you.

You don't seem to have some misconceptions
about zones and formatting the correct records
in those zone.

according


It is good to know that I have done the right thing.

Well your note in indicated that you couldn't create
the zone but #6 says everything looks good.

so

Just did that. I put in "ComputerName".

So you have a zone, the SMTP server can use "it's" DNS
server (which may not be the same one) to find this zone.

The zone is listed in the SMTP server.

The zone contains A records with numbers like 127.0.0.1 etc.
(there are conventions for different values 1, 2, 3, etc.)

Those A records are the regular IP prefixed onto the zone
name.

No. They aren't using the same DNS but since I can nslookup entries from the
rbl I guess it is ok.

But you may have a separate DNS setting for the
SMTP server (some do for efficiency.)

I didn't made myself clear. I stop the "sender name" blocking list so that
rubbish mail will be tested against the new rbl.

Oh, that makes sense. You removed some other filters
you were using -- filters unrelated to the RBL to test
the RBL.

It was simply that I had no idea what a rbl is. I was not sure that I could
use a normal DNS to build up an rbl. Now I do.

Yes. You did. It is just a DNS with specially populated
zones.

Mmmmm... Now I got that fixed and something is still going wrong.

I think you reversed the IP -- probably thinking of
reverse zones.

I am already doing constant work on it... updating sender blocking list,
man...

IPSec can block more effectively if you don't
wish to receive ANY (SMTP) traffic from them.

Why more effective? Your SMTP server will never
get the connection.

Your IPSec software will reject (actually IGNORE it)
immediately.

Some IPs are definitely wanted to be blocked. You know these spammers comes
from China is just crazy but I can't simply blocked the whole damn thing.

Right. IPSec can block on single IPs or class size ranges.

I am trying to block gmail. I figured no one from my domain received any
mails from gmail (yet) so I use my gmail account as my testing subject.

I use and send from Gmail. So does my wife.

GMail cannot be near the problem that Hotmail is.
(most of the early users had to obtain an invitation.)

I will summarise my information below:

1) Windows 2000 standalone server with latest everything hot-fixed
2) the same server has a SMTP service with buildin spam detection / supprt
such as sender name blocking and rbl support
3) using another DNS on the network, before and after the rbl is setup.

What does the above mean? "using Another DNS"?

You have to use the one with the RBL list OR the one
you use must be able to FIND the DNS server with that
RBL zone.

4) I have a this new rbl / dns setup in the same server.

Ok, then you have your machine OR SMTP server itself
pointed strictly at the "same server" for DNS.

5) rbl / dns zone name "ComputerName"
6) smtp rbl settings point to "ComputerName"
7) not working

Any more clue?

Give me some examples of the addresses you wish to
block and the records you put into the zone?

 

[Herb Martin]

I have figured it out...

I need a reboot to get it working... service restart just won't do...

Not for DNS.

I cannot comment on your SMTP since you never
gave the software.

But most SMTP does not require such reboots.

Even starting/stopping the SMTP should not have
been necessary.

Anyway thanks for analyzing my process. That is a great help. I really
appreciate it.

It's working with REVERSED IPs names in the zone?

 

[Jeremy Sun]

Still not working after making changes.

Then you have likely dones something wrong
in the zone configuratio (based on your first
message.)

Unlikely. However I got to admit that I am quite lost on why that didn't
work.

spoof-names.

If you want to block IP addresses, you can just do that
with a filter like IPSec and your SMTP server will never
even see the connect request.

The main point of RBL is the "real time" -- it's that someone
is maintaining these lists on at least a day-to-day basis.

I am not familiar with IPSec... except that it is commonly used with VPN,
probably the next thing I am going to bump into.

The good thing about RBL is that it is quite 'dummy friendly' which means
that I can pass it on to somebody once it is up and running smoothly.

Probably not a great name choice either.
Did you name it "computer" (single tag) or "computer.domain.com"?
computer.domain.org

Does the computer and especially the SMTP server use
this same machine for it's DNS server?
yes


Why are you doing d->a, instead of a-d?

This is NOT a reverse zone.

Only reverse zones reverse the octets (for delegation
reasons.)

I believed that it is how the request sent to the rbl by a smtp server. I
was simulating the smtp action.

Some SMTP servers have a configuratio for DNS
separate from the machine on which they run, check
to make sure your SMTP server is using the same
DNS as the NSLookup command is using.


Then you would have to put the names (IPs) in there
and tell the SMTP server to use "computername.local"
as it's RBL.

If the zone is named "something.whatever" you tell
the SMTP server precisely that.

I did. It didn't work, I believe, is the same reasons with why the original
zone didn't work, whatever the reason is.

There would need to be an A record for that
name in order to ping it (or a CNAME pointing
to an A-record with an IP.)

me bad.

No, for the most part DNS is DNS.

(They have some different special features on the
two OSes, but the basic functionality and the concepts
are the same.)
OK.

So fare, I haven't asked you which you are using since
it didn't matter to the answers I am giving you.

You don't seem to have some misconceptions
about zones and formatting the correct records
in those zone.

I guess I am ok with the DNS concept... just don't give me a close book
exam.

Well your note in indicated that you couldn't create
the zone but #6 says everything looks good.

I have no idea why the zone computer.domain.org does not work. I setup
computer.local just to pass the time trying to figure out why I did not get
it right the first time... and missed the reverse entry all together.

However, I got the ping and I got the lookup from my computer.domain.org
zone. So it looks good.

I think I got to change the habbit of skipping steps when I describe a
problem.

So you have a zone, the SMTP server can use "it's" DNS
server (which may not be the same one) to find this zone.
yes

The zone is listed in the SMTP server.
yes

The zone contains A records with numbers like 127.0.0.1 etc.
(there are conventions for different values 1, 2, 3, etc.)
yes

Those A records are the regular IP prefixed onto the zone
name.

well. not regular. From what I know, rbl looks up names which LOOKS like
reverse IPs. That is why the records go to the forward zone.

for example, if I want to block gmail (64.233.184.1-254, something like
that)

I need an entry

*.184.233.64.computer.domain.org IN A 127.0.0.2 (Bind)

or

*.184.233.64 A 127.0.0.2 (Windows 2000 DNS) in the zone file of
computer.domain.org

then when you nslookup 201.184.233.64.computer.domain.org you should get a
reply. When the smtp check the rbl and receive a reply, it dumps the mail.

But you may have a separate DNS setting for the
SMTP server (some do for efficiency.)

A good point. I can always make the changes later.

..
..
..

I think you reversed the IP -- probably thinking of
reverse zones.

No. As I have said in my other replies. I reboots and it works.

I was wondering may be if it has something to do with caching? May be it is
the SMTP service?

That is the result of being not familiar with the theory. When things go
wrong you don't have a clue.

IPSec can block more effectively if you don't
wish to receive ANY (SMTP) traffic from them.

Why more effective? Your SMTP server will never
get the connection.

Your IPSec software will reject (actually IGNORE it)
immediately.

Mmmmm. OK. I got IPSec on my list. The next thing (after this, after that)
to look into.

You sure that IPSec is a good idea on Windows 2000? I took a look at the
build-in support of IPSec and I did not find anything exciting.

thing.

Right. IPSec can block on single IPs or class size ranges.

How? on a windows 2000.

What does the above mean? "using Another DNS"?

You have to use the one with the RBL list OR the one
you use must be able to FIND the DNS server with that
RBL zone.

typo. "Was" using another DNS.

Ok, then you have your machine OR SMTP server itself
pointed strictly at the "same server" for DNS.
yes


Not for DNS.

I cannot comment on your SMTP since you never
gave the software.

But most SMTP does not require such reboots.

Even starting/stopping the SMTP should not have
been necessary.

Agree. I didn't recall rebooting when I set up my smtp server using public
rbl lists... a year ago.

It's working with REVERSED IPs names in the zone?

It is. I think it is just the rbl way of naming the IPs. I don't remember
where I got that.

So the name the smtp sent for rbl would be 4.3.2.1.rblzonename.rbldomainname
for IP 1.2.3.4