Discuss mailing list

[Calum McAlinden <calum AT mcalinden.me.uk>]

Yeah, I expected this would attract the slippery slope argument :)

Personally I don't think we would be doing this for Spamhaus or any other organisations, certainly not following their orders. I think it would be to ensure OpenNIC's servers aren't exploited by malicious people to control malware.

On 2 August 2017 22:00:44 CEST, Daniel Quintiliani <danq AT runbox.com> wrote:

I say we don't follow strangers' orders with this until Spamhaus gives us all a minimum wage payment.

--

-Dan Q


On Wed, 02 Aug 2017 15:57:52 -0400 (EDT), "Daniel Quintiliani" <danq AT runbox.com> wrote:

I can't help but think of the banned South Park episode where the character said something like "first we'll get rid of the stuff the Catholics don't like, then we'll get rid of the stuff the Muslims don't like, then eventually we won't exist at all!"

--

-Dan Q

On Wed, 2 Aug 2017 20:02:49 +0100, Calum McAlinden <calum AT mcalinden.me.uk> wrote:

I think that a blacklist preventing these domains from ever being
included in the zone would be a good idea. It could be published,
produced and reviewed democratically with full transparency. I would be
willing to produce some sort of web interface for this.

Would anyone be in favour of such system? I sense that there is a lot of
opposition for any blocking of any kind, but it is important to
acknowledge that these domains would probably fall foul of OpenNIC
policies and be removed if they were OpenNIC TLDs. It would not make
OpenNIC any less democratic, and it is not much different to blocking on
individual T2s anyway.

On 02/08/17 18:44, Jeff Taylor wrote:

I received complaints today that outgoing emails are getting blocked by
spamhaus SBL due to resolving tehnomix.bit. The block is on a single IP
address with a /32 mask, so damage is limited but unfortunately still
causing a problem. For now this domain has been blackholed into
127.0.0.1. Anyone using ns1.co.us.dns.opennic.glue will be affected by
this.

Checking my logs, I've had 301,958 lookups on my servers in the past
11.5 hours. Apparently I screwed something up with my new internet
connection because my servers are supposed to require whitelisting but
they are answering all queries... gonna have to fix that!

Also of note... since the block is for a single IP address, I believe
the issue is that the DNS server is on the same IP and my mail server.
Unlike the others here, I did NOT receive any notice from spamhaus
regarding being blocked.

Now for anyone else in a bind that needs to blackhole a specific domain
name under BIND9, the process is fairly simple, but as mentioned
previously you want to be open about any such changes you make to
OpenNic servers, and any such blocking is typically not allowed under
opennic rules...

-----

First you want to create a zone file to handle generic entries:

-- db.blacklisted --
;
; Blacklisted domains that should be blocked from resolving
;
$TTL 3600
@ IN SOA ns1.example.com. hostmaster (
2017080200 ; serial
3600 ; refresh
180 ; retry
86400 ; expire
3600 ; default TTL
)
IN NS 127.0.0.1
IN A 127.0.0.1
* IN A 127.0.0.1
IN AAAA ::1
* IN AAAA ::1


Next you need config file for BIND9 to handle to entries:

-- /etc/bind/named.blacklisted --
zone "letit2.bit" {type master; file "/path/to/db.blacklisted";};
zone "tehnomix.bit" {type master; file "/path/to/db.blacklisted";};


And finally, add an include to your named.conf:
include "/etc/bind/named.blacklisted";


Reload bind, and check to see the results:
# dig tehnomix.bit @localhost

;; ANSWER SECTION:
tehnomix.bit. 3600 IN A 127.0.0.1






--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.