Farsight NOD DNSBL with rbldnsd and BIND 9.9 on Debian 8.x
A DNS Black List (DNSBL) can be used to convey information about IP addresses or hostnames over DNS. Mail Servers and Anti-Spam software can be configured to leverage a DNSBL to make delivery or scoring decisions.
This tutorial demonstrates how to:
- Configure a Caching Nameserver using BIND 9.9.x
- Configure rbldnsd to serve the DNSBL zone v1.bl.dns-nod.net
- Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd
- Configure rbldnsd to load the Farsight NOD DNSBL dataset
Requirements
- Debian 8.x
- root or sudo privileges
- Provisioned for NOD DNSBL by Farsight Security
- A username provided by Farsight Security
- Firewall: Outbound TCP port 49222 to rsync.dns-nod.net:
- 104.244.13.85
- 216.66.15.100
- 104.244.14.85
- 216.156.194.100
- A 4096 bit SSH key pair
- The IP address(es) of the host that will be connecting to Farsight Security
Prerequisites
- Start with a clean install of Debian 8.x. For testing purposes a
virtual machine with 1 CPU and 1GB of memory would be adequate. - A NOD DNSBL username provided by Farsight Security
Setup Instructions
NOD user account and associated SSH key
During the provisioning process of NOD DNSBL you will be asked to provided Farsight Security with a public SSH key and an IP address. You can complete these steps prior to the provisioning process to be prepared to provide a public SSH key to Farsight Security.
Create a user account named nod
$ sudo adduser nod --disabled-password --gecos GECOS
Create an SSH key pair
Become the nod user to create an SSH key pair associated with the nod user account that will ultimately used with SSH and rsync
$ sudo su - nod
Create an SSH key
Create an SSH key to be used to connect to Farsight Security resources. Do not create a password for the SSH key.
ssh-keygen -t rsa -b 4096 -C farsight_security -f /home/nod/.ssh/farsight_security
Provide the public ssh key
During the provisioning process with Farsight Security you will be asked to provide the public ssh key. Example:
$ cat /home/nod/.ssh/farsight_security.pub
Log out of the nod user
$ logout
Install and configure BIND 9
This tutorial uses BIND as a recursive caching server and a forwarding server.
Install BIND 9
$ sudo apt-get update
$ sudo apt-get install bind9 bind9utils bind9-doc
Configure BIND to be a recursive caching DNS Server
$ sudo vim /etc/bind/named.conf.options
Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization.
acl localnetwork {
192.168.0.0/16;
localhost;
localnets;
};
Add the following within options directive
recursion yes;
allow-query { localnetwork; };
named.conf.options should look like:
acl allowrecursion {
192.168.0.0/16;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { localnetwork; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Configure BIND to forward queries
Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd running on port 5053.
$ sudo vim /etc/bind/named.conf.local
add:
zone "v1.bl.dns-nod.net" IN {
type forward;
forward first;
forwarders {
::1 port 5053;
};
};
Check the syntax of the BIND configuration files
Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.
sudo named-checkconf
Restart BIND
sudo systemctl restart bind9
Verify BIND is listening on localhost
Verify BIND is listening on localhost and is working as a caching server
$ dig @localhost indiana.edu
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost indiana.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30876
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;indiana.edu. IN A
;; ANSWER SECTION:
indiana.edu. 3534 IN A 129.79.78.193
indiana.edu. 3534 IN A 129.79.78.192
;; AUTHORITY SECTION:
indiana.edu. 3534 IN NS dns1.illinois.edu.
indiana.edu. 3534 IN NS dns1.iu.edu.
indiana.edu. 3534 IN NS dns2.iu.edu.
;; ADDITIONAL SECTION:
dns1.iu.edu. 172734 IN A 134.68.220.8
dns1.illinois.edu. 172734 IN A 130.126.2.100
dns1.illinois.edu. 172734 IN AAAA 2620:0:e00:b::53
dns2.iu.edu. 172734 IN A 129.79.1.8
dns2.iu.edu. 172734 IN AAAA 2001:18e8:2:8::10
;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Jun 20 14:12:04 EDT 2016
;; MSG SIZE rcvd: 245
Note: ;; Server: ... should be the localhost ip address
Install rsync
Configure rsync to download the NOD rbldns data files
Become the nod user to setup rsync
$ sudo apt-get install rsync
$ sudo su - nod
Create an SSH configuration file
Create a SSH configuration file to be used with the rsync process
$ vim /home/nod/.ssh/config
Copy and paste the following, be sure to replace username with the username given to you by Farsight Security.
Host rsync.dns-nod.net
User
IdentityFile ~/.ssh/farsight_security
HostKeyAlias rsync.dns-nod.net
Port 49222
Create directories
Create a directories to store the NOD DNSBL files and binaries
$ mkdir -p data/nod/v1
$ ls -l /home/nod/
total 8
drwxr-xr-x 2 nod nod 4096 Jun 21 13:34 bin
drwxr-xr-x 3 nod nod 4096 Jun 21 13:33 data
Create a bin directory in /home/nod
$ mkdir /home/nod/bin/
bash script
Create a bash script in /home/nod/bin to rsync the NOD DNSBL data
from Farsight Security. This script uses /usr/bin/flock to ensure
there are not multiple rsync commands running concurrently.
$ vim /home/nod/bin/nod-rsync.sh
Copy and paste the following
#!/bin/bash
set -e
/usr/bin/flock -n /home/nod/bin -c "/usr/bin/rsync -tq -e ssh --timeout=10 -az \
rsync.dns-nod.net:nod/v1/nod.rbldnsd /home/nod/data/nod/v1"
Populate the SSH known_hosts file
Populate the SSH known_hosts file with fingerprints for rsync.dns-nod.net
ssh-keyscan -H -t rsa,dsa -p 49222 rsync.dns-nod.net >> /home/nod/.ssh/known_hosts
Test the rsync shell script
$ /bin/bash /home/nod/bin/nod-rsync.sh
Verify nod.rbldnsd was fetched correctly
$ head -n 9 /home/nod/data/nod/v1/nod.rbldnsd
# Newly-Observed Domains List
# (c) 2016 Farsight Security Inc. https://www.farsightsecurity.com
# All rights reserved.
# Sales inquiries to [email protected]
# Technical support requests to [email protected]
# Published by nod2 running version 1.26.0 at 2016-06-30T12:51:55.294865+00:00
$SOA 86400 a.ns.dns-nod.net nod-admin.fsi.io. 1467291115 600 300 86400 300
$TIMESTAMP 2016:06:30:12:51:55
# $NS 86400 a.ns.dns-nod.net b.ns.dns-nod.net
Log out of the nod user again
logout
Create a cron job to run the rsync script every minute
$ sudo vim /etc/cron.d/nod-rsync
Copy and paste the following
#!/bin/sh
# /etc/cron.d/nod-rsync: Farsight NOD rsync script
* * * * * nod /bin/bash /home/nod/bin/nod-rsync.sh
Update the permissions of the file
$ sudo chmod 755 /etc/cron.d/nod-rsync
Install and configure rbldnsd
Install rbldnsd
$ sudo apt-get install rbldnsd
Configure rbldnsd
$ sudo vim /etc/default/rbldnsd
Copy and paste the following to the bottom of the file:
RBLDNSD="rbldnsd -r/home/nod/data/nod/v1/ -b::1/5053 v1.bl.dns-nod.net:dnset:nod.rbldnsd"
Start rbldnsd
sudo /etc/init.d/rbldnsd start
Test rbldnsd
Test rbldnsd to verify it is serving Farsight NOD DNSBL data correctly.
$ dig @localhost -p 5053 8.test.dns-nod.net.v1.bl.dns-nod.net
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost -p 5053 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A
;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A 127.0.0.8
;; Query time: 3 msec
;; SERVER: ::1#5053(::1)
;; WHEN: Thu Jun 30 18:12:36 EDT 2016
;; MSG SIZE rcvd: 70
Test BIND
Test BIND to verify it is forwarding the v1.bl.dns-nod.net zone correctly.
$ dig @localhost 8.test.dns-nod.net.v1.bl.dns-nod.net
; <> DiG 9.9.5-9+deb8u6-Debian <> @localhost 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 16
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A
;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A 127.0.0.8
;; AUTHORITY SECTION:
...
...
Troubleshooting
You should see messages like this in /var/log/syslog if rsync and rbldnsd are configured correctly
Jul 1 09:27:01 deb-nod CRON[794]: (nod) CMD (/bin/bash /home/nod/bin/nod-rsync.sh)
Jul 1 09:27:54 deb-nod rbldnsd[464]: dnset:nod.rbldnsd: 20160701 132700:
e/w=320407/320399
Jul 1 09:27:55 deb-nod rbldnsd[464]: zones reloaded, time 0.49e/0.47u sec,
mem arena=13612 free=139 mmap=10016 Kb
