Creating a Custom DNS Block List on Windows Server 2003

How to Create a Custom DNS Block List on Windows Server 2003

Creating a Custom DNS Block List:

Problem:


You need to create a custom DNS block list (DNSBL) instead of (or in addition to) using a third-party DNSBL service.

Solution:


Using a graphical user interface

To create the block list, do the following:
  1. Open the DNS Management snap-in (dnsmgmt.msc) using an account that has administrative privileges in your domain.
  2. Expand the server and Forward Lookup Zones objects.
  3. Right-click Forward Lookup Zones and select New Zone. When the New Zone Wizard appears, click Next.
  4. Select Primary zone in the Zone Type wizard page, then click Next.
  5. On the Active Directory Zone Replication Scope page, click Next.
  6. Name the zone and click Next.
  7. On the Dynamic Update page, click the Do not allow dynamic updates radio button and click Next.
  8. Click Finish to create the zone.
  9. Right-click the new zone and select New Domain. When the New DNS Domain dialog box appears, name the domain after the first octet of the first server on your block list. For example, if one of the servers you want to block has an IP address of 1.2.3.4, you'd name this domain 1. Click OK to create the domain.
  10. Right-click the newly created domain and select New Domain; name the new subdomain after the second octet of the host you want to block and click OK.
  11. Repeat step 11, this time using the third octet.
  12. Right-click the third octet's subdomain and select New Host (A).
  13. In the New Host dialog, enter the fourth octet of the blocked host as the host name, enter an IP address of 127.0.0.1, and click Add Host. Click OK to dismiss the confirmation dialog.
  14. If you want to add additional hosts in the same IP address range as the current host, repeat step 14 for each host you want to add. Click Done when you've added all of the hosts in the current subdomain.
  15. Create additional subdomains and hosts as necessary to include all of the IP addresses you gathered in step 1.
  16. Create an Exchange connection filter to use your new DNS block list for spam filtering

Discussion:

The idea behind DNSBLs is simple: when your server gets an inbound piece of mail, it can query a DNSBL server for the IP address of the sending server. If the IP address belongs to a known spammer, to an address block reserved for dial-up users, or some other range of IPs from which legitimate mail is unlikely to originate, the DNSBL server will return an address; if the IP addressisn't on the list, the query will fail. Based on this go/no-go indication, Exchange can then decide whether to drop the connection or to accept the message.


There are several popular and well-maintained DNSBL services such as SpamHaus and SpamCop. Most mail administrators who use DNSBLs use third-party lists, although those at larger sites will often download the zone data and run it on a local nameserver. You are free to create and maintain your own list if you prefer. This gives you a greater degree of control over the contents of the DNSBL, since some third-party services use rather relaxed standards to decide who is spamming. DNSBLs by themselves aren't a complete anti-spam solution, especially given that a large percentage of current spam is sent by hijacked Windows machines connected to various ISPs; their IP addresses don't fall into a contiguous block, and there's little value in banning hundreds or thousands of individual client IPs. DNSBLs are instead useful as an additional protective layer to be relied on after other measures.



Managing a large amount of blocklist data through the GUI can become quickly cumbersome, especially if it changes on a frequent basis. You may want to look into other methods of managing DNS data: direct import of DNS zone files; use of the dnscmd.exe utility to programmatically update data in dynamic DNS zones; or using the MicrosoftDNS_Server, MicrosoftDNS_Zone, andMicrosoftDNS_ResourceRecord WMI classes.

Comments

Popular posts from this blog

Linux File and Directory Permissions

How to Disable SSL for Webmin

INSTALL CISCO VPN CLIENT ON WINDOWS 10 (32 & 64 BIT). FIX REASON 442