November 22nd, 2014
Following on from performing basic DNS Lookups in Python, it’s relatively trivial to begin testing DNS Block Lists/Real Time Black Lists for blocked mail server IP addresses. To assist in preventing spam, a number of public and private RBLs are available. These track the IP addresses of mail servers that are known to produce spam, thus allowing recipient mail servers to deny delivery from known spammers.
RBLs operate over DNS. In order to test a RBL, a DNS query is made. As an example, zen.spamhaus.org is a popular RBL. If I wanted to test IP address 220.127.116.11 against the zen.spamhaus.org blocklist, I would reverse the octets in the IP address and then append ‘.zen.spamhaus.org’, i.e. 18.104.22.168.zen.spamhaus.org. I then perform an ‘A’ record lookup on said host:
root@w:~/tmp# host -t a 22.214.171.124.zen.spamhaus.org
Host 126.96.36.199.zen.spamhaus.org not found: 3(NXDOMAIN)
Excellent. IP 188.8.131.52 was not found in zen.spamhaus.org. NXDOMAIN is returned.
Now, to take a known spammer’s IP: 184.108.40.206:
Read the rest of this entry »
December 15th, 2008
I’m often asked for a copy of various zone files for Bind, that other users may use as a template. Here’s the zonefile for www.adampalmer.me/iodigitalsec:
@ IN SOA iodigitalsec.com. root.iodigitalsec.com. (
2008101023 ; Serial
172800 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Negative Cache TTL
IN NS ns3.apnichosting.com.
IN NS ns2.apnichosting.com.
IN MX 10 mail3.sasdataservices.com.
IN MX 100 mail2.sasdataservices.com.
IN MX 1000 backup-0.l3.iodigitalsec.com.
IN A 220.127.116.11
* CNAME iodigitalsec.com.
I’ll now cover each type of record briefly, and explain the ellusive decimal point.
The SOA or “start of authority” record indicates the domain name “iodigitalsec.com” and the email address of the domain administrator “email@example.com”, replacing the at symbol with a decimal point (this decimal point does not have the same meaning as those later on). There is only one SOA record allowed per domain. Contained within the SOA record is also a serial number, refresh, retry, expiry and TTL. The serial number is the ‘version’ of the zone. This is generally incremented each time the zone is updated. The refresh is used by the slave or secondary DNS server as an instruction on how often to update in seconds. The ‘retry’ is the length in seconds that the slave DNS server should wait before retrying to contact an unreachable primary DNS server. The expiry specifies how long until the slave DNS server stops responding to requests for this domain name, should the primary DNS server remain unreachable. If the primary DNS server becomes available again, the timer is reset. Lastly, the Negative TTL or ‘time to live’ value indicates how long the server will cache a NAME ERROR (NXDOMAIN) record. The longest permitted is 3h (10800 seconds).
On to the more simple records…
Read the rest of this entry »