Mike.MN
Full Stack PHP Developer / Systems Administrator / DevOps
Minneapolis, Minnesota, USA|

DNS Multi-RBL

Created: 2011
Language: Bash
Software: Bind9 DNS Server

This simple script will maintain an up-to-date Multi-RBL Bind DNS Zone of the Tor Exit Node list, and the Stop Forum Spam honeypot list. This service is essential to prevent spam and abuse on publicly accessible services such as signup forms and smtp email. Almost 400,000 ip addresses are listed in the master zonefile. Includes configuration for adding IP's to a "whitelist" to prevent them from getting listed. This service is still live and operational today.

How it works
Usually the forum/email service provides a setting for your custom rbl.example.com lists.
To test you can send a dns query for the TXT record with the ip reversed (1.2.3.4). Like this:

mike@wopr ~$ dig +short txt 4.3.2.1.rbl.example.com
"dnsbl.stopforumspam RBL Listed - Spammer!"
"RBL Test was successful! - Not a real IP"

Sample of the code Code is shortened for the example.

#!/bin/bash
# this script will run once per hour at :05
# 2011 Mike.MN

HOUR=$(expr $(date -u +%H) \* 4)
HOUR=$(printf "%02d" ${HOUR})
SERIAL=$(date -u +%Y%m%d${HOUR})

# make the header and serialnumber
cat << EOF > /tmp/rblzone_header.txt
$ORIGIN .
$TTL 300       ; 5 minutes
rbl.example.com         IN SOA  ns1.example.com. hostmaster.example.com. (
                ${SERIAL}    ; serial
                3600       ; refresh (1 hour)
                600        ; retry (10 minutes)
                604800     ; expire (5 days)
                150       ; minimum (2.5 minutes)
                                )
            NS  ns1.example.com.
            NS  ns2.example.com.
$ORIGIN rbl.example.com.

4.3.2.1     IN  A   127.0.0.1
        IN  TXT "RBL Test was successful! - Not a real IP"
EOF

# add TOR ip list
cat /etc/rblparse/tor-exit-list |\
awk --field-separator . \
'{for (i=NF; i>0; i--) \
    if (i != 1) \
        printf("%s.",\$\i); \
    else \
        printf("%s", \$\i); \
print"\t\t\tIN\tA\t127.0.0.2\n\t\t\t\tIN\tTXT\t\"rbl.example.com RBL Match - TOR Exit Node!\""}' \
> /tmp/rblzone_TOR.txt


# put the parts together
echo "merging files together"
cat /tmp/rblzone_TOR.txt | grep -v -A1 -f /etc/rblparse/whitelist >> /tmp/rblzone_rbl.example.com.zone
sudo cp /tmp/rblzone_rbl.example.com.zone /etc/bind/pri/rbl.example.com.zone

echo "reloading zone"
sudo rndc reload rbl.example.com
echo "complete!"