Using DroneBL: An overview

DroneBL only offers public access to its data in the form of a DNSBL. A more robust lookup feature is available for security professionals with an RPCKey via RPC2 lookups. If you would like to propose another format, we would enjoy your suggestions! Please ask on IRC.

For more information, see the FAQ.

Using the DroneBL DNSBL service

The DroneBL database is exported in the format of an rbldnsd compatible file. We then load this into various rbldnsd installations, which are exported to the public internet via the dnsbl.dronebl.org DNS zone.

You may use the DroneBL DNSBL service free of charge for both commercial and non-commercial purposes. Some examples are listed below. However, we ask that if you are using this service commercially that you contribute to the ecosystem of the DroneBL in a positive way. There are many ways of doing this (hosting a DNSBL mirror, working on the code, etcetera), read the FAQ for suggestions and procedures.

How to perform a manual DNSBL lookup

  1. Take the client's IP address--say, 192.168.42.23 -- and reverse the bytes, yielding 23.42.168.192.
  2. Append the DNSBL's domain name, resulting in: 23.42.168.192.dnsbl.dronebl.org.
  3. Look up this name in the DNS as a domain name ("A" record). This will return either an address, indicating that the client is listed; or an NXDOMAIN ("No such domain") code, indicating that the client is not.

Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type, and uses a forward domain (such as dnsbl.dronebl.org above) rather than the special reverse domain in-addr.arpa.

charybdis 2.0 and later blacklist {}

If you add the following to your blacklist {} block, your charybdis server will check DroneBL. As an example:

blacklist {
        host = "dnsbl.dronebl.org";
        reject_reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup";
};

charybdis 2.2 and later blacklist {}

If you add the following to your blacklist {} block, your charybdis server will check DroneBL. As an example:

blacklist {
        host = "dnsbl.dronebl.org";
        reject_reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup?ip=${ip}";
};

InspIRCd

If you are using the m_dnsbl.so module, you can add this line to your configuration:

<dnsbl name="DroneBL" domain="dnsbl.dronebl.org" action="ZLINE" reason="You are listed in DroneBL. Please visit http://dronebl.org/lookup?ip=%ip%" bitmask="253">

BOPM

BOPM can be configured to check DroneBL too. Recent versions of BOPM contain an example configuration for doing so, and are pre-configured to send new proxy reports to DroneBL as well.

blacklist {
    name = "dnsbl.dronebl.org";
    type = "A record reply";
    reply {
        2 = "Sample";
        3 = "IRC Drone";
        5 = "Bottler";
        6 = "Unknown spambot or drone";
        7 = "DDOS Drone";
        8 = "SOCKS Proxy";
        9 = "HTTP Proxy";
        10 = "ProxyChain";
        13 = "Brute force attackers";
        14 = "Open Wingate Proxy";
        15 = "Compromised router / gateway";
        17 = "Automatically determined botnet IPs (experimental)";
        255 = "Unknown";
    };
    ban_unknown = no;
    kline = "PRIVMSG OperServ :akill add +3h *@%i You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network"; 
};

For more information, visit the BOPM website.

Note: In order to be able to report to DroneBL, you are required to have a RPC Key.

Change dnsbl_from to your_rpckey@your_domain.tld and set dnsbl_to to bopm-report@dronebl.org.

Postfix

You can use smtpd_recipient_restrictions to restrict access via the DroneBL. This may prove advantageous in blocking SPAM due to the unique list of proxies and infected machines we have. To do so, add to your smtpd_recipient_restrictions:

    reject_rbl_client dnsbl.dronebl.org

hosts.deny: Using DroneBL as a firewalling measure

It is now possible to use DroneBL to help reduce attacks from inbound machines by using this script and calling it from hosts.deny:

    sshd : 10.0.0.0/24, 127.0.0.1 : allow
    ALL : 192.168.0.0/32 : deny
    ALL EXCEPT httpd : ALL : aclexec /usr/local/bin/checkdnsbl.sh %a

Thanks to rojo for the tip.

View Markdown Source