Hi list,How feasible to you folks think having a DNSBL server that accepts only connections from a group of IP is?
By that I mean that the server will accept (UDP) DNS requests from an "allow list", refusing requests from anyone else (basically answering "nothing" from any dns question from other IP addresses). I am using the IP from the UDP request packet to perform the "authentication".
This is for a DNSBL which is not supposed to be public, although the DNS server is accessible publicly on the internet. I want to keep the DNSBL "spec", so for a request:
A 44.33.22.11.myserver.example.com. I'll answer, in case 11.22.33.44 is "blocklisted": A 127.0.0.2Or no answer at all in case 11.22.33.44 is not listed, or the request was refused.
The issue I believe I'll find (if I understood DNS properly) is that when my client makes the request, it'll hop through several DNS servers (first, operating system's cache, a router, ISP and so on...) so that the the final request to my DNS server will be done by some DNS server in the middle, meaning my initial IP address will be lost in the way.
Would it be possible to make it work without telling my client to use `example.com` as nameserver?
I don't mind if my client caches requests, as I plan to use reasonable TTL to make sure the requests are valid.
I was thinking on adding my DNS server IP as a `NS` record for `example.com.`, but I confess I have not understood the DNS protocol well enough to try it.
I am limited to using DNS over UDP (instead of fancy things such as DNS over HTTPS) as my clients are mostly Postfix instances, and so far it supports only plain UDP DNS lookup.
I suspect the whole idea is just not feasible, but I wantd some second opinion from someone who has more knowledge about it or who has implemented something similar.
PS: I am not using bind or any other off-the-shelf solution, but instead a custom DNS server implementation powered by go-dns, the same library used by PowerDNS.
-- Regards, Leandro Santiago Software Craftsman at Lightmeter https://lightmeter.io
OpenPGP_0xAB5F702209190A96.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
