The "dnsbl" Module (v4)
Description
This module allows the server administrator to check the IP address of connecting users against a DNSBL. This is useful for preventing malicious hosts from connecting to the server.
Configuration
To load this module use the following <module>
tag:
<module name="dnsbl">
<connect>
This module extends the core <connect>
tags with the following fields:
Name | Type | Default Value | Description |
---|---|---|---|
dnsbl | Text | None | Match users to this connect class by DNSBL name when using the mark action. |
usednsbl | Boolean | Yes | Whether users in this connect class should be looked up in a DNSBL. |
Example Usage
Disables DNSBL lookups for users in the WebChat class:
<connect name="WebChat"
...
usednsbl="no">
Matches users that have been marked by a configured DNSBL named Proxies to a ProxyUser class:
<connect name="ProxyUser"
...
dnsbl="Proxies">
<dnsbl>
The <dnsbl>
tag defines a DNSBL to check connecting users against. This tag can be defined as many times as required.
Name | Type | Default Value | Description |
---|---|---|---|
action | Text | None | Required! The action to take against users who's IP address is in this DNSBL. |
bitmask | Number | None | Required for the bitmask type! A bitmask of DNSBL result types to match against. |
domain | Text | None | Required! The domain name of this DNSBL. |
duration | Duration | 1h | If action is set to gline, kline, or zline then the duration for an X-line to last for. |
host | Text | None | If action is set to mark then a new hostname to set on users who's IP address is in this DNSBL. |
user | Text | None | If action is set to mark then a new username to set on users who's IP address is in this DNSBL. |
name | Text | None | Required! The human readable name of this DNSBL. |
reason | Text | Your IP (%ip%) has been blacklisted by the %dnsbl% DNSBL. | The message to send to users who's IP address is in a DNSBL. |
records | No. Range | None | Required for the record type! A numeric range of DNSBL result types to match against. |
timeout | Duration | Depends on <dns:timeout> | The time period to wait for a response from this DNSBL. |
type | Text | record | The type of result that this DNSBL will provide. |
The action field should be set to one of the following values:
Value | Description |
---|---|
gline | G-line users who's IP address is in the DNSBL. |
kill | Kill users who's IP address is in the DNSBL. |
kline | K-line users who's IP address is in the DNSBL. |
mark | Marks users who's IP address is in the DNSBL. |
zline | Z-line users who's IP address is in the DNSBL. |
The reason field can contain any of the following template variables:
Variable | Description |
---|---|
%dnsbl% | The name of the DNSBL (from <dnsbl:name> ) |
%dnsbl.url% | New in v4.1.0! The name of the DNSBL (from <dnsbl:name> ) encoded for use in an URL. |
%ip% | The IP address of the user. |
%network% | New in v4.1.0! The name of the IRC network (from <server:network> ). |
%network.url% | New in v4.1.0! The name of the IRC network (from <server:network> ) encoded for use in an URL. |
%reason% | New in v4.4.0! A human readable description of the DNSBL result (from <dnsblreply> ). |
%result% | The record type returned by the DNSBL. |
The type field should be set to one of the following values:
Value | Description |
---|---|
bitmask | DNSBL results will be compared against the bit mask specified in the bitmask field to see if the IP address in question is in a DNSBL. For example, 15 would match against DNSBL result types 1, 2, 4, and 8. |
record | DNSBL results will be compared against a numeric range of values. For example, 1-3,4,5 would match all DNSBL result types between 1 and 5. |
Example Usage
DroneBL is a DNSBL for IRC networks:
<dnsbl name="DroneBL"
domain="dnsbl.dronebl.org"
type="record"
records="3,5,6,7,8,9,10,11,13,14,15,16,17,19"
action="zline"
duration="7d"
reason="You are listed in DroneBL. Please visit https://dronebl.org/lookup.do?ip=%ip% for more information.">
EFnet RBL is a DNSBL of undesirable IP addresses detected by the EFnet IRC Network:
<dnsbl name="EFnet RBL"
domain="rbl.efnetrbl.org"
type="record"
records="1,2,3,4,5"
action="zline"
duration="7d"
reason="You are listed in the EFnet RBL. Please visit https://rbl.efnetrbl.org/?i=%ip% for more information.">
torexit.dan.me.uk is a DNSBL of Tor exit nodes.
<dnsbl name="torexit.dan.me.uk"
domain="torexit.dan.me.uk"
type="record"
records="100"
timeout="10s"
action="zline"
duration="7d"
reason="Tor exit nodes are not allowed on this network. See https://metrics.torproject.org/rs.html#search/%ip% for more information.">
<dnsblreply>
The <dnsblreply>
tag defines the meaning of a reply from a DNSBL. This tag can be defined as many times as required.
Name | Type | Default Value | Description |
---|---|---|---|
name | Text | None | Required! The name of the DNSBL this reply applies to. |
reply | Number | None | Required! The DNSBL reply that this tag specifies a meaning for. |
description | Text | None | Required! A human readable description of the DNSBL reply. |
Example Usage
Specifies that a result of 42 from the SpamBL DNSBL means that the user is connecting from an infected host.
<dnsblreply name="SpamBL"
reply="42"
description="Infected host">
Server Notice Masks
Character | Description |
---|---|
d | Notifications about DNSBL hits on the local server. |
D | Notifications about DNSBL hits on a remote server. |
Statistics
Character | Description |
---|---|
d | Lists information about DNSBL hits and misses. |
Special Notes
If you are also using the gateway module you should disable DNSBL lookups for your WebIRC gateway.