DJBDNSCurve6

rbldns

Purpose

rbldns answers TXT queries for synthesises DNS name including the reverse IP address concatinated with the $BASE if given in its repository. rbldns is IPv6 enabled and thus allowing queries over IPv4 or IPv6 networks; though only UDP is supported. It is able to encrypt DNS queries and decrypt DNS responses using the DNSCurve format in the 'streamline' as well as in the 'txt' format. rbldns however, does not support DNSSec. rbldns can simultaneously bind to IPv4 and IPv6 network addresses and supports 'reverse IPv6-anycasting'.

Programs

System Setup

It is preferrable to install D.J. Bernsteins's daemontools or Bruce Guenter's daemontools-encore. Further alternatives are Gerrit Pape's runit though in principal systemd and any of its derivates or the s6 toolbox to manage Unix services will do.

Given the first two, rbldns-conf can be successfully applied to setup rbldns:

The service directory /rbldns is provided which must start with a slash as first character.
the base tells which is the concatenating name for the received (reverse) IP addresses.

rbldns runs chrooted under a particular user, typically rbldns. while located usually at /etc/rbldns.

The run script for rbldns looks like:

#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec envuidgid rbldns /usr/local/bin/rbldns '

Here, envdir is used to source rbldns's ./env directory and populating the required environment variables.

rbldns logs to STDOUT which shall be managed by multilog with a dedicated systems user and rotation capability.

A run script for multilog can be very generic:

#!/bin/sh exec setuidgid daemon multilog t s1677721 /var/log/rbldns

It should be noted, that rbldns writes condensed log lines without a timestamp while appending this to the current file. Thus, it is advisable to restrict the logfile size.

Service Configuration

rbldns can run in two different security modes:

DNSCurve enable: In case a DNSCurve public key curvedns-keygen has been generated and its name has been used as delegated name server to the upstream ones, encryption of DNS messages is possible by an enabled iterative resolver.
Plain DNS: Without this setting, DNS queries and responses are unencrypted transmitted over UDP. This is the usual operational mode.

The main rbldns configuration is provided in the directory ./env. Here one defines in particular files:

IP: The IP addreses rbldns listens to and sends responses.
ROOT: The path to the 'root' directory (could be on a ram disk).
BASE: The chosen base for the RBL query.
uz5... : The DNSCurve public key as file name including the (hexadecimal) public key as content.
CURVEDNS_PRIVATE_KEY: Including the DNSCurve private key.

Security Note: If you run a public rbldns service in un-encrypted/plain mode, an eavesdropper will be able to collect data for all of your DNS clients and finally you are unclosing which MTA has received a SMTP mail from a destination given its IP with precise timestamp.

Content Configuration

Within rbldns' directory ./root a file data exists which hosts IP addresses or subnets subject for a response line-by-line.

First Step: Adding DNS Txt Records

Include in the file data the following information:

ip4: IPv4 address in dotted-decimal format.
ip4/n: IPv4 subnet giving n significant subnet-bits in dotted-decimal format.
ip6: IPv6 address in compactified format.
ip6/n: IPv6 subnet giving n significant subnet-bits in compactified IPv6 format.
=a:txt: Allowing to add some additional information in case of a match. If txt ends with $ the queried IP address is included in the answer.

Second Step: Compiling DNS TXT Records

A Makefile exists within that directory to turn data into data.cdb by make applying rbldns-data.
Note: rbldns-data understands plain IP addresses as well as IP addresses in CIDR format.