Recipe10.7.Creating a Custom DNS Block List


Recipe 10.7. Creating a Custom DNS Block List

Problem

You need to create a custom DNS block list (DNSBL) instead of (or in addition to) using a third-party DNSBL service.

Solution

Using a graphical user interface

To create the block list, do the following:

  1. Assemble a list of the IP addresses that you want to block.

  2. Open the DNS Management snap-in (dnsmgmt.msc) using an account that has administrative privileges in your domain.

  3. Expand the server and Forward Lookup Zones objects.

  4. Right-click Forward Lookup Zones and select New Zone. When the New Zone Wizard appears, click Next.

  5. Select Primary zone in the Zone Type wizard page, then click Next.

  6. On the Active Directory Zone Replication Scope page, click Next.

  7. Name the zone and click Next.

  8. On the Dynamic Update page, click the Do not allow dynamic updates radio button and click Next.

  9. Click Finish to create the zone.

  10. Right-click the new zone and select New Domain. When the New DNS Domain dialog box appears, name the domain after the first octet of the first server on your block list. For example, if one of the servers you want to block has an IP address of 1.2.3.4, you'd name this domain 1. Click OK to create the domain.

  11. Right-click the newly created domain and select New Domain; name the new subdomain after the second octet of the host you want to block and click OK.

  12. Repeat step 11, this time using the third octet.

  13. Right-click the third octet's subdomain and select New Host (A).

  14. In the New Host dialog, enter the fourth octet of the blocked host as the host name, enter an IP address of 127.0.0.1, and click Add Host. Click OK to dismiss the confirmation dialog.

  15. If you want to add additional hosts in the same IP address range as the current host, repeat step 14 for each host you want to add. Click Done when you've added all of the hosts in the current subdomain.

  16. Create additional subdomains and hosts as necessary to include all of the IP addresses you gathered in step 1.

  17. Create an Exchange connection filter to use your new DNS block list for spam filtering, as described in Recipe 7.22.

Discussion

The idea behind DNSBLs is simple: when your server gets an inbound piece of mail, it can query a DNSBL server for the IP address of the sending server. If the IP address belongs to a known spammer, to an address block reserved for dial-up users, or some other range of IPs from which legitimate mail is unlikely to originate, the DNSBL server will return an address; if the IP address isn't on the list, the query will fail. Based on this go/no-go indication, Exchange can then decide whether to drop the connection or to accept the message.

There are several popular and well-maintained DNSBL services such as SpamHaus and SpamCop. Most mail administrators who use DNSBLs use third-party lists, although those at larger sites will often download the zone data and run it on a local nameserver. You are free to create and maintain your own list if you prefer. This gives you a greater degree of control over the contents of the DNSBL, since some third-party services use rather relaxed standards to decide who is spamming. DNSBLs by themselves aren't a complete anti-spam solution, especially given that a large percentage of current spam is sent by hijacked Windows machines connected to various ISPs; their IP addresses don't fall into a contiguous block, and there's little value in banning hundreds or thousands of individual client IPs. DNSBLs are instead useful as an additional protective layer to be relied on after other measures.

Managing a large amount of blocklist data through the GUI can become quickly cumbersome, especially if it changes on a frequent basis. You may want to look into other methods of managing DNS data: direct import of DNS zone files; use of the dnscmd.exe utility to programmatically update data in dynamic DNS zones; or using the MicrosoftDNS_Server, MicrosoftDNS_Zone, and MicrosoftDNS_ResourceRecord WMI classes. Although the details of these methods are out of the scope of this recipe, Matt Larson, Cricket Liu, and Robbie Allen provide a thorough reference to the many facets of running a Windows-based DNS server in their book DNS on Windows Server 2003, also available from O'Reilly.

See Also

Recipe 7.22 for configuring SMTP connection filtering to use a DNSBL, Chapter 10 of the Exchange Server 2003 Transport and Routing Guide, MS KB 823866 (How to configure connection filtering to use Realtime Block Lists and how to configure recipient filtering in Exchange Server 2003), and Chapter 8 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press)



Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net