Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

As everyone is aware, we have recently added the ability to set up T2 
servers which only accept whitelisted user IPs.  To go along with this, 
it may also be useful to specifically blacklist a troublesome address.

I have been working on some code this morning, and wanted to highlight 
what I have set up...
- Blacklist entries may only be modified by T1/T2 operators (you have to 
be registered as an operator in LDAP, which is something I currently do 
manually.  If you need to be listed, let me know.)
- There must be public oversite to blacklisted entries, therefore it has 
been configured to send a notification to this mailing list whenever a 
change is made
- The web page allows any user to search if their IP has been 
blacklisted.  Removal is done by request and approval through the 
mailing list.
- Additions and removals may be performed by URL requests, exactly like 
whitelisting, however I have also added a browser component to the code 
so you may perform actions in a more user-friendly manner.

Note that I have only tested with IPv4 addresses, however IPv6 *should* 
work as well?

Access to the blacklist feature is through 
http://api.opennicproject.org/ip/dnsbl
As with whitelisting, you may use the URL to add entries in the form 
of:  ?user=username&auth=auth_code&ip_address
If you use the web page to sign in, you may additionally specify a 
reason why you are adding an entry, which could be useful in weighing 
the evidence if a user asks for the ban to be lifted on their address.

Entries to the blacklist will follow the same rules as for whitelisting 
-- they will be automatically removed in 28 days if they do not get 
renewed.  This should keep the blacklist trimmed down to only recent abuses.

Even if you don't use whitelisting, you may still benefit from 
blacklisting.  To obtain the ACL file (BIND only), please see the wget 
example when you log in to the members page (if you are not currently 
listed as a T2 operator in LDAP you will not see the information -- 
again, just contact me off-list).  The file will contain an entry for 
opennic_blacklist.  If you are using both white and black listing, you 
will want to specify something like
{ !opennic_blacklist; opennic_whitelist; }
for your recursion and query allows... Deny the blacklist entries first 
before allowing the whitelist entries.  Use similar logic for any other 
rules your setup may have.


Please keep in mind that the entries in the blacklist are live.  I will 
put in a test entry immediately after this message so that everyone can 
see the format of the emails sent out.  Hopefully we won't have to use 
this feature very often, but it should be a handy tool for when attacks 
come from a specific source.  Let me know if you have any questions...