DNS Black List / RBL Checking in Python

November 22nd, 2014

Following on from performing basic DNS Lookups in Python, it’s relatively trivial to begin testing DNS Block Lists/Real Time Black Lists for blocked mail server IP addresses. To assist in preventing spam, a number of public and private RBLs are available. These track the IP addresses of mail servers that are known to produce spam, thus allowing recipient mail servers to deny delivery from known spammers.

RBLs operate over DNS. In order to test a RBL, a DNS query is made. As an example, zen.spamhaus.org is a popular RBL. If I wanted to test IP address against the zen.spamhaus.org blocklist, I would reverse the octets in the IP address and then append ‘.zen.spamhaus.org’, i.e. I then perform an ‘A’ record lookup on said host:

root@w:~/tmp# host -t a
Host not found: 3(NXDOMAIN)

Excellent. IP was not found in zen.spamhaus.org. NXDOMAIN is returned.

Now, to take a known spammer’s IP:
Read the rest of this entry »

A BIND9 zonefile and commentary

December 15th, 2008

I’m often asked for a copy of various zone files for Bind, that other users may use as a template. Here’s the zonefile for www.adampalmer.me/iodigitalsec:

$TTL 604
@       IN      SOA      iodigitalsec.com. root.iodigitalsec.com. (
2008101023        ; Serial
172800         ; Refresh
900         ; Retry
1209600         ; Expire
3600 )       ; Negative Cache TTL
IN      NS      ns3.apnichosting.com.
IN      NS      ns2.apnichosting.com.
IN      MX      10      mail3.sasdataservices.com.
IN      MX      100     mail2.sasdataservices.com.
IN      MX      1000    backup-0.l3.iodigitalsec.com.
IN      A
*                       CNAME   iodigitalsec.com.

I’ll now cover each type of record briefly, and explain the ellusive decimal point.

The SOA or “start of authority” record indicates the domain name “iodigitalsec.com” and the email address of the domain administrator “root@iodigitalsec.com”, replacing the at symbol with a decimal point (this decimal point does not have the same meaning as those later on). There is only one SOA record allowed per domain. Contained within the SOA record is also a serial number, refresh, retry, expiry and TTL. The serial number is the ‘version’ of the zone. This is generally incremented each time the zone is updated. The refresh is used by the slave or secondary DNS server as an instruction on how often to update in seconds. The ‘retry’ is the length in seconds that the slave DNS server should wait before retrying to contact an unreachable primary DNS server. The expiry specifies how long until the slave DNS server stops responding to requests for this domain name, should the primary DNS server remain unreachable. If the primary DNS server becomes available again, the timer is reset. Lastly, the Negative TTL or ‘time to live’ value indicates how long the server will cache a NAME ERROR (NXDOMAIN) record. The longest permitted is 3h (10800 seconds).

On to the more simple records…
Read the rest of this entry »