Using DroneBL: An overview
DroneBL only offers public access to its data in the form of a DNSBL. A more robust lookup feature is available for security professionals with an RPCKey via RPC2 lookups. If you would like to propose another format, we would enjoy your suggestions! Please ask on IRC.
For more information, see the FAQ.
Using the DroneBL DNSBL service
The DroneBL database is exported in the format of an rbldnsd
compatible file. We then load this into various rbldnsd installations,
which are exported to the public internet via the dnsbl.dronebl.org
DNS zone.
You may use the DroneBL DNSBL service free of charge for both commercial and non-commercial purposes. Some examples are listed below. However, we ask that if you are using this service commercially that you contribute to the ecosystem of the DroneBL in a positive way. There are many ways of doing this (hosting a DNSBL mirror, working on the code, etcetera), read the FAQ for suggestions and procedures.
How to perform a manual DNSBL lookup
- Take the client's IP address--say,
192.168.42.23
-- and reverse the bytes, yielding23.42.168.192
. - Append the DNSBL's domain name, resulting in:
23.42.168.192.dnsbl.dronebl.org
. - Look up this name in the DNS as a domain name ("A" record).
This will return either an address, indicating that the client is
listed; or an
NXDOMAIN
("No such domain") code, indicating that the client is not.
Looking up an address in a DNSBL is thus similar to looking it up in reverse-DNS.
The differences are that a DNSBL lookup uses the "A" rather than "PTR" record type,
and uses a forward domain (such as dnsbl.dronebl.org
above) rather than the special
reverse domain in-addr.arpa
.
charybdis 2.0 and later blacklist {}
If you add the following to your blacklist {} block, your charybdis server will check DroneBL. As an example:
blacklist {
host = "dnsbl.dronebl.org";
reject_reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup";
};
charybdis 2.2 and later blacklist {}
If you add the following to your blacklist {} block, your charybdis server will check DroneBL. As an example:
blacklist {
host = "dnsbl.dronebl.org";
reject_reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup?ip=${ip}";
};
InspIRCd
If you are using the m_dnsbl.so
module, you can add the following to your configuration file:
<dnsbl name="DroneBL"
domain="dnsbl.dronebl.org"
type="record"
records="3,5,6,7,8,9,10,11,13,14,15,16,17,19"
action="ZLINE"
duration="7d"
reason="You are listed in DroneBL. Please visit https://dronebl.org/lookup.do?ip=%ip% for more information.">
BOPM/HOPM
BOPM/HOPM can be configured to check DroneBL too. Recent versions of BOPM/HOPM contain an example configuration for doing so, and are pre-configured to send new proxy reports to DroneBL as well.
blacklist {
name = "dnsbl.dronebl.org";
type = "A record reply";
reply {
2 = "Sample";
3 = "IRC Drone";
5 = "Bottler";
6 = "Unknown spambot or drone";
7 = "DDOS Drone";
8 = "SOCKS Proxy";
9 = "HTTP Proxy";
10 = "ProxyChain";
11 = "Web Page Proxy";
12 = "Open DNS Resolver";
13 = "Brute force attackers";
14 = "Open Wingate Proxy";
15 = "Compromised router / gateway";
16 = "Autorooting worms";
17 = "Automatically determined botnet IPs (experimental)";
18 = "DNS/MX type hostname detected on IRC";
255 = "Unknown";
};
ban_unknown = no;
kline = "PRIVMSG OperServ :akill add +3h *@%i You have a host listed in the DroneBL. For more information, visit https://dronebl.org/lookup?ip=%i&network=Network";
};
For more information, visit the BOPM website or HOPM website.
Note: In order to be able to report to DroneBL, you are required to have a RPC Key.
Change dnsbl_from to your_rpckey@your_domain.tld and set dnsbl_to to bopm-report@dronebl.org.
Postfix
You can use smtpd_recipient_restrictions to restrict access via the DroneBL. This may prove advantageous in blocking SPAM due to the unique list of proxies and infected machines we have. To do so, add to your smtpd_recipient_restrictions:
reject_rbl_client dnsbl.dronebl.org
hosts.deny: Using DroneBL as a firewalling measure
It is now possible to use DroneBL to help reduce attacks from inbound machines by
using this script and calling it from hosts.deny
:
sshd : 10.0.0.0/24, 127.0.0.1 : allow
ALL : 192.168.0.0/32 : deny
ALL EXCEPT httpd : ALL : aclexec /usr/local/bin/checkdnsbl.sh %a
Thanks to rojo for the tip.