The "dnsbl" Module (v4)
Description
This module allows the server administrator to check the IP address of connecting users against a DNSBL. This is useful for preventing malicious hosts from connecting to the server.
Configuration
To load this module use the following <module> tag:
<module name="dnsbl">
<connect>
This module extends the core <connect> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| dnsbl | Text | None | Match users to this connect class by DNSBL name when using the mark action. |
| usednsbl | Boolean | Yes | Whether users in this connect class should be looked up in a DNSBL. |
Example Usage
Disables DNSBL lookups for users in the WebChat class:
<connect name="WebChat"
...
usednsbl="no">
Matches users that have been marked by a configured DNSBL named Proxies to a ProxyUser class:
<connect name="ProxyUser"
...
dnsbl="Proxies">
<dnsbl>
The <dnsbl> tag defines a DNSBL to check connecting users against. This tag can be defined as many times as required.
| Name | Type | Default Value | Description |
|---|---|---|---|
| action | Text | None | Required! The action to take against users who's IP address is in this DNSBL. |
| bitmask | Number | None | Required for the bitmask type! Deprecated! A bitmask of DNSBL result types to match against. |
| domain | Text | None | Required! The domain name of this DNSBL. |
| duration | Duration | 1h | If action is set to gline, kline, or zline then the duration for an X-line to last for. |
| host | Text | None | If action is set to mark then a new hostname to set on users who's IP address is in this DNSBL. |
| user | Text | None | If action is set to mark then a new username to set on users who's IP address is in this DNSBL. |
| name | Text | None | Required! The human readable name of this DNSBL. |
| reason | Text | Your IP (%ip%) has been blacklisted by the %dnsbl% DNSBL. | The message to send to users who's IP address is in a DNSBL. |
| records | No. Range | None | Required for the record type! A numeric range of DNSBL result types to match against. |
| timeout | Duration | Depends on <dns:timeout> | The time period to wait for a response from this DNSBL. |
| type | Text | record | The type of result that this DNSBL will provide. |
The action field should be set to one of the following values:
| Value | Description |
|---|---|
| gline | G-line users who's IP address is in the DNSBL. |
| kill | Kill users who's IP address is in the DNSBL. |
| kline | K-line users who's IP address is in the DNSBL. |
| mark | Marks users who's IP address is in the DNSBL. |
| zline | Z-line users who's IP address is in the DNSBL. |
The reason field can contain any of the following template variables:
| Variable | Description |
|---|---|
| %dnsbl% | The name of the DNSBL (from <dnsbl:name>) |
| %dnsbl.url% | New in v4.1.0! The name of the DNSBL (from <dnsbl:name>) encoded for use in an URL. |
| %ip% | The IP address of the user. |
| %network% | New in v4.1.0! The name of the IRC network (from <server:network>). |
| %network.url% | New in v4.1.0! The name of the IRC network (from <server:network>) encoded for use in an URL. |
| %reason% | New in v4.4.0! A human readable description of the DNSBL result (from <dnsblreply>). |
| %result% | The record type returned by the DNSBL. |
The type field should be set to one of the following values:
| Value | Description |
|---|---|
| bitmask | Deprecated! DNSBL results will be compared against the bit mask specified in the bitmask field to see if the IP address in question is in a DNSBL. For example, 15 would match against DNSBL result types 1, 2, 4, and 8. |
| record | DNSBL results will be compared against a numeric range of values. For example, 1-3,4,5 would match all DNSBL result types between 1 and 5. |
Example Usage
DroneBL is a DNSBL for IRC networks:
<dnsbl name="DroneBL"
domain="dnsbl.dronebl.org"
type="record"
records="3,5,6,7,8,9,10,11,13,14,15,16,17,19"
action="zline"
duration="7d"
reason="You are listed in DroneBL. Please visit https://dronebl.org/lookup?ip=%ip% for more information.">
EFnet RBL is a DNSBL of undesirable IP addresses detected by the EFnet IRC Network:
<dnsbl name="EFnet RBL"
domain="rbl.efnetrbl.org"
type="record"
records="1,2,3,4,5"
action="zline"
duration="7d"
reason="You are listed in the EFnet RBL. Please visit https://rbl.efnetrbl.org/?i=%ip% for more information.">
torexit.dan.me.uk is a DNSBL of Tor exit nodes.
<dnsbl name="torexit.dan.me.uk"
domain="torexit.dan.me.uk"
type="record"
records="100"
timeout="10s"
action="zline"
duration="7d"
reason="Tor exit nodes are not allowed on this network. See https://metrics.torproject.org/rs.html#search/%ip% for more information.">
<dnsblreply>
The <dnsblreply> tag defines the meaning of a reply from a DNSBL. This tag can be defined as many times as required.
| Name | Type | Default Value | Description |
|---|---|---|---|
| name | Text | None | Required! The name of the DNSBL this reply applies to. |
| reply | Number | None | Required! The DNSBL reply that this tag specifies a meaning for. |
| description | Text | None | Required! A human readable description of the DNSBL reply. |
Example Usage
Specifies that a result of 42 from the SpamBL DNSBL means that the user is connecting from an infected host.
<dnsblreply name="SpamBL"
reply="42"
description="Infected host">
Server Notice Masks
| Character | Description |
|---|---|
| d | Notifications about DNSBL hits on the local server. |
| D | Notifications about DNSBL hits on a remote server. |
Statistics
| Character | Description |
|---|---|
| d | Lists information about DNSBL hits and misses. |
Special Notes
If you are also using the gateway module you should disable DNSBL lookups for your WebIRC gateway.