On Wed, Oct 06, 2021 at 10:22:11AM +0200, Leandro Santiago via mailop wrote: > Thank you all who shared their knowledge. > > We decided, on our solution, to go away from the DNSBL approach which has > way too many caveats and are now experimenting with solutions on a higher > level on the network stack. > > On 10/4/21 18:52, Leandro Santiago via mailop wrote: > > Hi list, > > > > How feasible to you folks think having a DNSBL server that accepts only > > connections from a group of IP is? > > > > By that I mean that the server will accept (UDP) DNS requests from an > > "allow list", refusing requests from anyone else (basically answering > > "nothing" from any dns question from other IP addresses). I am using the > > IP from the UDP request packet to perform the "authentication". > > > > This is for a DNSBL which is not supposed to be public, although the DNS > > server is accessible publicly on the internet. I want to keep the DNSBL > > "spec", so for a request: > > > > A 44.33.22.11.myserver.example.com. > > > > I'll answer, in case 11.22.33.44 is "blocklisted": > > > > A 127.0.0.2
Sorry for the late reply. The trick to this is not to limit by IP address - but to implement service (API) keys. e.g. each authorised user is given a key e.g. sj3Fa3Gomd937Z12 Then they make queries for 44.33.22.11.sj3Fa3Gomd937Z12.myserver.example.com. That way you don't care what IP it comes from, but you know who it is. PG Sent via Proofpoint Essentials https://proofpointessentials.co.uk _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
