The "dnsbl" Module (v4)

Description

This module allows the server administrator to check the IP address of connecting users against a DNSBL. This is useful for preventing malicious hosts from connecting to the server.

Configuration

To load this module use the following <module> tag:

<module name="dnsbl">

<connect>

This module extends the core <connect> tags with the following fields:

Name Type Default Value Description
dnsbl Text None Match users to this connect class by DNSBL name when using the mark action.
usednsbl Boolean Yes Whether users in this connect class should be looked up in a DNSBL.
Example Usage

Disables DNSBL lookups for users in the WebChat class:

<connect name="WebChat"
         ...
         usednsbl="no">

Matches users that have been marked by a configured DNSBL named Proxies to a ProxyUser class:

<connect name="ProxyUser"
         ...
         dnsbl="Proxies">

<dnsbl>

The <dnsbl> tag defines a DNSBL to check connecting users against. This tag can be defined as many times as required.

Name Type Default Value Description
action Text None Required! The action to take against users who's IP address is in this DNSBL.
bitmask Number None Required for the bitmask type! A bitmask of DNSBL result types to match against.
domain Text None Required! The domain name of this DNSBL.
duration Duration 1h If action is set to gline, kline, or zline then the duration for an X-line to last for.
host Text None If action is set to mark then a new hostname to set on users who's IP address is in this DNSBL.
user Text None If action is set to mark then a new username to set on users who's IP address is in this DNSBL.
name Text None Required! The human readable name of this DNSBL.
reason Text Your IP (%ip%) has been blacklisted by the %dnsbl% DNSBL. The message to send to users who's IP address is in a DNSBL.
records No. Range None Required for the record type! A numeric range of DNSBL result types to match against.
timeout Duration Depends on <dns:timeout> The time period to wait for a response from this DNSBL.
type Text record The type of result that this DNSBL will provide.

The action field should be set to one of the following values:

Value Description
gline G-line users who's IP address is in the DNSBL.
kill Kill users who's IP address is in the DNSBL.
kline K-line users who's IP address is in the DNSBL.
mark Marks users who's IP address is in the DNSBL.
zline Z-line users who's IP address is in the DNSBL.

The reason field can contain any of the following template variables:

Variable Description
%dnsbl% The name of the DNSBL (from <dnsbl:name>)
%dnsbl.url% New in v4.1.0! The name of the DNSBL (from <dnsbl:name>) encoded for use in an URL.
%ip% The IP address of the user.
%network% New in v4.1.0! The name of the IRC network (from <server:network>).
%network.url% New in v4.1.0! The name of the IRC network (from <server:network>) encoded for use in an URL.
%reason% New in v4.4.0! A human readable description of the DNSBL result (from <dnsblreply>).
%result% The record type returned by the DNSBL.

The type field should be set to one of the following values:

Value Description
bitmask DNSBL results will be compared against the bit mask specified in the bitmask field to see if the IP address in question is in a DNSBL. For example, 15 would match against DNSBL result types 1, 2, 4, and 8.
record DNSBL results will be compared against a numeric range of values. For example, 1-3,4,5 would match all DNSBL result types between 1 and 5.
Example Usage

DroneBL is a DNSBL for IRC networks:

<dnsbl name="DroneBL"
       domain="dnsbl.dronebl.org"
       type="record"
       records="3,5,6,7,8,9,10,11,13,14,15,16,17,19"
       action="zline"
       duration="7d"
       reason="You are listed in DroneBL. Please visit https://dronebl.org/lookup.do?ip=%ip% for more information.">

EFnet RBL is a DNSBL of undesirable IP addresses detected by the EFnet IRC Network:

<dnsbl name="EFnet RBL"
       domain="rbl.efnetrbl.org"
       type="record"
       records="1,2,3,4,5"
       action="zline"
       duration="7d"
       reason="You are listed in the EFnet RBL. Please visit https://rbl.efnetrbl.org/?i=%ip% for more information.">

torexit.dan.me.uk is a DNSBL of Tor exit nodes.

<dnsbl name="torexit.dan.me.uk"
       domain="torexit.dan.me.uk"
       type="record"
       records="100"
       timeout="10s"
       action="zline"
       duration="7d"
       reason="Tor exit nodes are not allowed on this network. See https://metrics.torproject.org/rs.html#search/%ip% for more information.">

<dnsblreply>

The <dnsblreply> tag defines the meaning of a reply from a DNSBL. This tag can be defined as many times as required.

Name Type Default Value Description
name Text None Required! The name of the DNSBL this reply applies to.
reply Number None Required! The DNSBL reply that this tag specifies a meaning for.
description Text None Required! A human readable description of the DNSBL reply.
Example Usage

Specifies that a result of 42 from the SpamBL DNSBL means that the user is connecting from an infected host.

<dnsblreply name="SpamBL"
            reply="42"
            description="Infected host">

Server Notice Masks

Character Description
d Notifications about DNSBL hits on the local server.
D Notifications about DNSBL hits on a remote server.

Statistics

Character Description
d Lists information about DNSBL hits and misses.

Special Notes

If you are also using the gateway module you should disable DNSBL lookups for your WebIRC gateway.