Re: Help with own RBL
On 23 Jul 2018, at 23:40, Pedro David Marco wrote: On Tuesday, July 24, 2018, 12:07:52 AM GMT+2, David B Funk wrote: What kind of 'calculations with that IP' ? Thanks Dave... calculations are complex and done with a an external script that reads some files parsing them... Depending on how you intend your service to work, you could be creating a trap for your users. Feel free to fill the gaps in my understanding of what you intend, as after all I'm only working with the little you have shared in this thread so far. Normally, content scanners / MTAs will perform their DNS queries from behind a caching name server. The idea is that once a response to a particular question is known, that information can be kept around and reused at a much faster rate. This is (and has been) the recommended architecture since forever, with minor variations on where / how many caching name servers to deploy. On 23 Jul 2018, at 13:49, Pedro David Marco wrote: i am planning to run my own RBL with a nameserver, that when queried for an IP that is not in its database, does some calculations with that IP and replies accordingly [⋯] This means that the caching name server that is querying you will have to wait for _most_ answers. Without a way to know how long that process will take, it's possible that DNS clients will retry their questions, caching name server will as well and the whole thing becomes a tarpit that ends up wasting DNS resolver resources and generally slowing down mail delivery. Under that scenario, I would not recommend usage of the service you propose, but again feel free to any gaps in the above reasoning. The reason that in the traditional DNS list model you do all your calculations in advance and produce a zone is precisely to ensure that your service can respond quickly. Also note that DNS is designed to aggressively cache responses, so that repeated queries can be satisfied from a nearby cache. Wildcard DNS records could be leveraged to some extent, so as to have better control over caching of results. There are variations to the DNS list architecture that include pushing dynamic updates to keep the zone data updated as more / newer data is available. This could work for your use case -- you could consume a query log from your authoritative DNS servers, perform the required calculations and then push the updated response when the results are available. In the meantime, the DNS server would return NXDOMAIN (or perhaps something else if wildcard records are an option). Without knowing more about these calculations you intend to perform, this dynamic update approach would seem like a workable plan which might or might not fall within your expertise. In a distant past I built something like what you're describing although for a very different purpose. I ended up writing a name server in Perl (https://metacpan.org/release/Net-DNS-Method). This won't come near the required performance or behavior for a public facing DNS list with any sort of meaningful usage. Also consider that your DNS traffic will only go up, because if your DNS list gets mentioned around, people is going to add it to their configuration and forget about it. So, while this is likely not an ideal forum for this topic, I don't mind beating this horse for a little while. Best regards -lem
Re: Help with own RBL
On Tuesday, July 24, 2018, 12:07:52 AM GMT+2, David B Funk wrote: >What kind of 'calculations with that IP' ? On 24.07.18 06:40, Pedro David Marco wrote: Thanks Dave... calculations are complex and done with a an external script that reads some files parsing them... "calculations are complex" is not an answer to "what calculations". Maybe you could do those calculations offline and push their results to DNS. Maybe you could create rules or SA plugin instead. Do any kind of complex calculations for a DNS request is useless, especially when you use it locally. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: Help with own RBL
On Tuesday, July 24, 2018, 12:07:52 AM GMT+2, David B Funk wrote: >What kind of 'calculations with that IP' ? Thanks Dave... calculations are complex and done with a an external script that reads some files parsing them... -PedroD
Re: Help with own RBL
On Tuesday, July 24, 2018, 12:04:57 AM GMT+2, Kris Deugau wrote: >IIRC PowerDNS can be set up to run Lua code fragments of some kind on DNS >requests. Thanks! i did not know it. i have checked it and Lus cannot exec eternanl commands to get a possible "answer"... > To my mind though, you'd be better off doing your heavy processing out of > band, and publishing results in a standard zone file or rbldnsd. I also considered that... parsing rbldnsd logs for example and adding data to the standard zone file, but i would lost the real time effect... Thanks Kris... PedroD
Re: Help with own RBL
On Mon, 23 Jul 2018, Pedro David Marco wrote:
Not exactly a SA question but...
i am planning to run my own RBL with a nameserver, that when queried for an IP
that is not in its database, does some calculations with that IP and replies
accordingly (caching the results)...
Please, does anyone know of any nameserver that can do that? To my knowledge
RBLDNSD cannot do it...
Thanks in advance!
What kind of 'calculations with that IP' ?
Is it dynamic factored with some kind of external coefficients or is it a more
static mapping?
If the latter you may be able to use something like RBLDNSD.
With RBLDNSD you can define overlapping zones and it will pick the most
specific one.
EG: 0.0.0/0 == some default value
41.0.0.0/8 == some other value
41.23.0.0/16 == yet another value
etc...
Put your coding into a map generator, then push the results into RBLDNSD.
It can handle 10^5+ entires with no sweat.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: Help with own RBL
Pedro David Marco wrote: Not exactly a SA question but... i am planning to run my own RBL with a nameserver, that when queried for an IP that is not in its database, does some calculations with that IP and replies accordingly (caching the results)... Please, does anyone know of any nameserver that can do that? To my knowledge RBLDNSD cannot do it... IIRC PowerDNS can be set up to run Lua code fragments of some kind on DNS requests. To my mind though, you'd be better off doing your heavy processing out of band, and publishing results in a standard zone file or rbldnsd. -kgd
Re: Help with own RBL
* Pedro David Marco : > Not exactly a SA question but... > i am planning to run my own RBL with a nameserver, that when queried for an > IP that is not in its database, does some calculations with that IP and > replies accordingly (caching the results)... > Please, does anyone know of any nameserver that can do that? To my knowledge > RBLDNSD cannot do it... Why use DNS as a protocol, if you don't use DNS? You could as well implement a simple TCP map service or us HTTP to do calls etc. If you use Postfix you could also implement a policy service or even a MILTER. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Help with own RBL
Not exactly a SA question but... i am planning to run my own RBL with a nameserver, that when queried for an IP that is not in its database, does some calculations with that IP and replies accordingly (caching the results)... Please, does anyone know of any nameserver that can do that? To my knowledge RBLDNSD cannot do it... Thanks in advance! ---PedroD
