A DNS Black List (DNSBL) can be used to convey information about IP addresses or hostnames over DNS. Mail Servers and Anti-Spam software can be configured to leverage a DNSBL to make delivery or scoring decisions.

This tutorial demonstrates how to:

  1. Configure a Caching Nameserver using BIND 9.9.x
  2. Configure rbldnsd to serve the DNSBL zone v1.bl.dns-nod.net
  3. Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd
  4. Configure rbldnsd to load the Farsight NOD DNSBL dataset

Requirements

Prerequisites

  1. Start with a clean install of Debian 8.x. For testing purposes a virtual machine with 1 CPU and 1GB of memory would be adequate.
  2. A NOD DNSBL username provided by Farsight Security

Setup Instructions

NOD user account and associated SSH key

During the provisioning process of NOD DNSBL you will be asked to provided Farsight Security with a public SSH key and an IP address. You can complete these steps prior to the provisioning process to be prepared to provide a public SSH key to Farsight Security.

Create a user account named nod
$ sudo adduser nod --disabled-password --gecos GECOS
Create an SSH key pair

Become the nod user to create an SSH key pair associated with the nod user account that will ultimately used with SSH and rsync

$ sudo su - nod
Create an SSH key

Create an SSH key to be used to connect to Farsight Security resources. Do not create a password for the SSH key.

ssh-keygen -t rsa -b 4096 -C farsight_security -f /home/nod/.ssh/farsight_security
Provide the public ssh key

During the provisioning process with Farsight Security you will be asked to provide the public ssh key. Example:

$ cat /home/nod/.ssh/farsight_security.pub
Log out of the nod user
$ logout

Install and configure BIND 9

This tutorial uses BIND as a recursive caching server and a forwarding server.

Install BIND 9
$ sudo apt-get update
$ sudo apt-get install bind9 bind9utils bind9-doc
Configure BIND to be a recursive caching DNS Server
$ sudo vim /etc/bind/named.conf.options

Add a ACL to allow recursive queries. Choose a CIDR range that makes sense for your organization.

acl localnetwork {
 192.168.0.0/16;
 localhost;
 localnets;
};

Add the following within options directive

recursion yes;
allow-query { localnetwork; };

named.conf.options should look like:

acl allowrecursion {
     192.168.0.0/16;
     localhost;
     localnets;
};

options {
       directory "/var/cache/bind";

       recursion yes;
       allow-query { localnetwork; };

       dnssec-validation auto;

       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
};
Configure BIND to forward queries

Configure BIND to forward queries for the zone v1.bl.dns-nod.net to rbldnsd running on port 5053.

$ sudo vim /etc/bind/named.conf.local

add:

zone "v1.bl.dns-nod.net" IN {
    type forward;
    forward first;
    forwarders {
        ::1 port 5053;
    };
};
Check the syntax of the BIND configuration files

Check the syntax of the BIND configuration files. The shell prompt will return immediately without any output if there are no errors.

sudo named-checkconf
Restart BIND
sudo systemctl restart bind9
Verify BIND is listening on localhost

Verify BIND is listening on localhost and is working as a caching server

$ dig @localhost indiana.edu

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @localhost indiana.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30876
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;indiana.edu.           IN  A

;; ANSWER SECTION:
indiana.edu.        3534    IN  A   129.79.78.193
indiana.edu.        3534    IN  A   129.79.78.192

;; AUTHORITY SECTION:
indiana.edu.        3534    IN  NS  dns1.illinois.edu.
indiana.edu.        3534    IN  NS  dns1.iu.edu.
indiana.edu.        3534    IN  NS  dns2.iu.edu.

;; ADDITIONAL SECTION:
dns1.iu.edu.        172734  IN  A   134.68.220.8
dns1.illinois.edu.  172734  IN  A   130.126.2.100
dns1.illinois.edu.  172734  IN  AAAA    2620:0:e00:b::53
dns2.iu.edu.        172734  IN  A   129.79.1.8
dns2.iu.edu.        172734  IN  AAAA    2001:18e8:2:8::10

;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Jun 20 14:12:04 EDT 2016
;; MSG SIZE  rcvd: 245

Note: ;; Server: ... should be the localhost ip address

Configure rsync to download the NOD rbldns data files

Install rsync
$ sudo apt-get install rsync
Become the nod user to setup rsync
$ sudo su - nod
Create an SSH configuration file

Create a SSH configuration file to be used with the rsync process

$ vim /home/nod/.ssh/config

Copy and paste the following, be sure to replace username with the username given to you by Farsight Security.

Host rsync.dns-nod.net
User <username>
IdentityFile ~/.ssh/farsight_security
HostKeyAlias rsync.dns-nod.net
Port 49222
Create directories

Create a directories to store the NOD DNSBL files and binaries

$ mkdir -p data/nod/v1
$ ls -l /home/nod/
total 8
drwxr-xr-x 2 nod nod 4096 Jun 21 13:34 bin
drwxr-xr-x 3 nod nod 4096 Jun 21 13:33 data
Create a bin directory in /home/nod
$ mkdir /home/nod/bin/
bash script

Create a bash script in /home/nod/bin to rsync the NOD DNSBL data from Farsight Security. This script uses /usr/bin/flock to ensure there are not multiple rsync commands running concurrently.

$ vim /home/nod/bin/nod-rsync.sh

Copy and paste the following

#!/bin/bash

set -e

/usr/bin/flock -n /home/nod/bin -c "/usr/bin/rsync -tq -e ssh --timeout=10 -az \
    rsync.dns-nod.net:nod/v1/nod.rbldnsd /home/nod/data/nod/v1"
Populate the SSH known_hosts file

Populate the SSH known_hosts file with fingerprints for rsync.dns-nod.net

ssh-keyscan -H -t rsa,dsa -p 49222 rsync.dns-nod.net >> /home/nod/.ssh/known_hosts
Test the rsync shell script
$ /bin/bash /home/nod/bin/nod-rsync.sh
Verify nod.rbldnsd was fetched correctly
$ head -n 9 /home/nod/data/nod/v1/nod.rbldnsd
# Newly-Observed Domains List
# (c) 2016 Farsight Security Inc. https://www.farsightsecurity.com
# All rights reserved.
# Sales inquiries to sales@farsightsecurity.com
# Technical support requests to nod@farsightsecurity.com
# Published by nod2 running version 1.26.0 at 2016-06-30T12:51:55.294865+00:00
$SOA 86400 a.ns.dns-nod.net nod-admin.fsi.io. 1467291115 600 300 86400 300
$TIMESTAMP 2016:06:30:12:51:55
# $NS 86400 a.ns.dns-nod.net b.ns.dns-nod.net
Log out of the nod user again
logout
Create a cron job to run the rsync script every minute
$ sudo vim /etc/cron.d/nod-rsync

Copy and paste the following

#!/bin/sh
# /etc/cron.d/nod-rsync: Farsight NOD rsync script

* * * * * nod /bin/bash /home/nod/bin/nod-rsync.sh

Update the permissions of the file

$ sudo chmod 755 /etc/cron.d/nod-rsync

Install and configure rbldnsd

Install rbldnsd
$ sudo apt-get install rbldnsd
Configure rbldnsd
$ sudo vim /etc/default/rbldnsd

Copy and paste the following to the bottom of the file:

RBLDNSD="rbldnsd -r/home/nod/data/nod/v1/ -b::1/5053 \
    v1.bl.dns-nod.net:dnset:nod.rbldnsd"
Start rbldnsd
sudo /etc/init.d/rbldnsd start
Test rbldnsd

Test rbldnsd to verify it is serving Farsight NOD DNSBL data correctly.

$ dig @localhost -p 5053 8.test.dns-nod.net.v1.bl.dns-nod.net
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @localhost -p 5053 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A

;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A  127.0.0.8

;; Query time: 3 msec
;; SERVER: ::1#5053(::1)
;; WHEN: Thu Jun 30 18:12:36 EDT 2016
;; MSG SIZE  rcvd: 70
Test BIND

Test BIND to verify it is forwarding the v1.bl.dns-nod.net zone correctly.

$ dig @localhost 8.test.dns-nod.net.v1.bl.dns-nod.net
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @localhost 8.test.dns-nod.net.v1.bl.dns-nod.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;8.test.dns-nod.net.v1.bl.dns-nod.net. IN A

;; ANSWER SECTION:
8.test.dns-nod.net.v1.bl.dns-nod.net. 300 IN A  127.0.0.8

;; AUTHORITY SECTION:
...
...

Troubleshooting

You should see messages like this in /var/log/syslog if rsync and rbldnsd are configured correctly

Jul  1 09:27:01 deb-nod CRON[794]: (nod) CMD (/bin/bash /home/nod/bin/nod-rsync.sh)
Jul  1 09:27:54 deb-nod rbldnsd[464]: dnset:nod.rbldnsd: 20160701 132700:
    e/w=320407/320399
Jul  1 09:27:55 deb-nod rbldnsd[464]: zones reloaded, time 0.49e/0.47u sec,
    mem arena=13612 free=139 mmap=10016 Kb

Additional Information

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.