dnsbl – Don't fear the penguin

Today @hakmem tweeted a blog post by John Levine entitled «Why DNS blacklists don’t work for IPv6 networks«.

Why DNS blacklists don't work for IPv6 networks http://ff.im/-uuxpF

— Yiorgos Adamopoulos (@hakmem) November 29, 2010

I find the last paragraph very interesting:

For the most part mail systems simply won’t use IPv6 addresses, since all the mail that anyone wants will continue to be sent using IPv4.

How do you define «All the mail that anyone wants» ?
What I want in my email, is not always what another person wants.

Why will it continue to be sent using IPv4, when every dual-stack server that runs an MTA these days *prefers* IPv6 transport when it is available?

Τι κάνεις όταν θέλεις να δεχτείς mail από κάποιο IP που είναι listed σε κάποια dnsbl και δε μπορείς να το βγάλεις;

Το κάνεις whitelist στον mail server ή στο antispam software που χρησιμοποιείς..

Κι αν το whitelisting δε δουλεύει ή δεν έχεις τον έλεγχο τους;

Τότε κάνεις bypass το dnsbl listing, γιατί έχεις έλεγχο του DNS server που χρησιμοποιούνε!

Εστω ότι το listed IP είναι το 193.194.195.196, και είναι listed στην bl.spamcop.net.

$ host 196.195.194.193.bl.spamcop.net
196.195.194.193.bl.spamcop.net has address 127.0.0.2

Φτιάχνεις ένα κενό zone file στον DNS σαν το παρακάτω

$ cat etc/noblacklist.zone

$TTL 86400
;
;name   addr-cl SOA     Origin  Person in charge
;
@       IN      SOA     localhost.  root.localhost. (
                        2008011600   ; Serial
                        21600        ; Refresh 6 hours
                        3600         ; Retry 1 hours
                        3600000      ; Expire 41 days 16 hours
                        172800     ) ; Minimum 2 days
                                IN      NS      localhost.

Στο etc/named.conf του bind δηλώνεις το παρακάτω:

zone "195.194.193.bl.spamcop.net" {
                type master;
                file "/etc/noblacklist.zone";
};

Κάνεις reconfig στο bind και ως δια μαγείας ..δεν είσαι πλεον listed

$ host 196.195.194.193.bl.spamcop.net
Host 196.195.194.193.bl.spamcop.net not found: 3(NXDOMAIN)

follow me on twitter

RT @hsoc: Merry Christmas @hellasdirect 🎅🎄 https://t.co/V7xxbjw9YS 1 year ago

RT @bad_packets: It's not DNS There's no way it's DNS It was DNS twitter.com/BleepinCompute… 1 year ago

RT @PowerDNS_Bert: Dear EU: Cyber security is important, but please don’t #RuinTheRoot by regulating the non-essential entities that run th… 1 year ago

RT @_argp: BugTraq Shutdown, end of an era: "At this time, resources for the BugTraq mailing list have not been prioritized, and this will… 2 years ago

RT @jpmens: IT WASN’T DNS twitter.com/atoonk/status/… 2 years ago

RT @fanf: “For the first time, nginx is in use by more web-facing computers than any other web server, including Apache” https://t.co/rscQy… 2 years ago

RT @skaragiannis: In case you missed it https://t.co/X3FUqYZYqZ 2 years ago

RT @QuinnyPig: The best part about this question is that (aside from the third answer's "single digit millisecond latency") I can make it d… 3 years ago

RT @ripencc: Today, at 15:35, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now ru… 3 years ago

RT @hellasdirect: Sotiris Tsimbonis, our infrastructure and automation lead, has been with us from day 1. Today, we are proud to see him ex… 3 years ago

Follow @stsimb

Linux Weekly News

[$] Constant-time instructions and processor optimizations

Of all the attacks on cryptographic code, timing attacks may be among the most insidious. An algorithm that appears to be coded correctly, perhaps even with a formal proof of its correctness, may be undermined by information leaked as the result of data-dependent timing differences. Both Arm and Intel have introduced modes that are intended to help defend ag […]

corbet

Security updates for Friday

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

jake

The Document Foundation announces LibreOffice 7.5 Community

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, […]

jake

Ekstrand: Exploring Rust for Vulkan drivers, part 1

Faith Ekstrand begins an exploration of using the Rust language to write Vulkan graphics drivers. Whenever a Vulkan object is created or destroyed, the parent object is passed to both the create and destroy functions. This ensures that the lifetime of the child object is contained within the lifetime of the parent object. In Rust terms, this means it's […]

corbet

OpenSSH 9.2 released

OpenSSH 9.2 has been released. It includes a number of security fixes, including one for a pre-authentication double-free vulnerability that the project does not believe is exploitable. Other new features include support for channel-inactivity timeouts, better control over sftp protocol parameters, and more.

corbet

GNU C Library 2.37 released

Version 2.37 of the GNU C Library has been released. This looks like a relatively low-key release, with the one "major new feature" described as: The getent tool now supports the --no-addrconfig option. The output of getent with --no-addrconfig may contain addresses of families not configured on the current host i.e. as-if you had not passed AI_ADD […]

corbet

[$] Git archive generation meets Hyrum's law

On January 30, the GitHub blog carried a brief notice that the checksums of archives (such as tarballs) generated by the site had just changed. GitHub's engineers were seemingly unaware of the consequences of such a change — consequences that were immediately evident to anybody familiar with either packaging systems or Hyrum's law. Those checksums […]

corbet

Security updates for Thursday

Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).

jake

[$] LWN.net Weekly Edition for February 2, 2023

The LWN.net Weekly Edition for February 2, 2023 is available.

corbet

Go 1.20 released

Version 1.20 of the Go language has been released. We’re particularly excited to launch a preview of profile-guided optimization (PGO), which enables the compiler to perform application- and workload-specific optimizations based on run-time profile information. Providing a profile to go build enables the compiler to speed up typical applications by around 3– […]

corbet

	Michail στη Ελληνικά ή Αγγλικά;
	adamo στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	Michail στη Ελληνικά ή Αγγλικά;
	cvi going distribute… στη version control for important…
	bilias στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!
	kioan στη It’s a girl!
	kzorba στη It’s a girl!
	Sotiris Tsimbonis στη It’s a girl!

Ετικέτα: dnsbl

Re: Why DNS blacklists don’t work for IPv6 networks

locally bypass dnsbl listing