|Table of Contents|
8.4 DNS Blacklisting
VolanoChat supports two types of DNS-based blacklists (DNSBLs), one for denying access to externally open proxy servers and the other for detecting dynamically assigned Internet Protocol (IP) addresses, such as those used for most dial-up accounts. This functionality uses standard DNS name resolution protocol in a specialized way that will allow the chat server to receive and process a response from a 3rd party blacklist.
Open proxies make a chat connection on behalf of the client, allowing the client to mask their true IP address. Usually a person would do this if they were planning on causing trouble on your chat server and did not want to be found.
The list of blacklists defined by
dnslist.denied is checked by each connecting client. If the host address is found in one of the blacklists, the client is denied access.
The VolanoChat server can attempt to identify whether a user is connecting via a dial-up account or with a static IP address by using special dial-up blacklists. The list of blacklists defined by
dnslist.dynamic is checked when a monitor bans an address from the server. If the host address is on one of the blacklists, it is determined to be a dynamic IP address, and the dynamic and network block settings for the ban control apply. Otherwise the host is assumed to be using a static IP address and only that address is banned. This control prevents dial-up users from dropping the connection and connecting a few seconds later to continue their behavior. It has the side affect, though, of also banning any other users connecting from that dial-up service, so the ban duration should be kept relatively short. By default the dial-up ban duration is set for one hour.
The DNS blacklists are separated by white space and in the format
zone:response, where the
zone part is required and the
:response part is optional. If no response is specified for a blacklist, any response from the DNS query indicates that the address is on the list. Otherwise, only the specific response specified indicates the address is on the list.
The defaults are:
Some examples are:
dnslist.denied=opm.blitzed.org relays.osirusoft.com:127.0.0.9 dnslist.dynamic=dynablock.wirehub.net:127.0.0.2
When checked against the 3,370 unique hosts connecting to the VolanoChat demo server on February 20, 2002, the following results were returned. For the open proxy check, only two addresses were detected among both DNS blacklists:
opm.blitzed.org 184.108.40.206 220.127.116.11 relays.osirusoft.com:127.0.0.9 18.104.22.168
For the dynamic IP address check, 1,170 out of the 3,370 addresses (53 percent) were detected as dynamic when all six lists were used:
DNS Blacklist Detected as Dynamic ------------------------------------ ------------------- dynablock.wirehub.net:127.0.0.2 1199 36% blackholes.five-ten-sg.com:127.0.0.3 1047 31% no-more-funn.moensted.dk:127.0.0.3 703 21% dnsbl.njabl.org:127.0.0.3 634 19% spamguard.leadmon.net:127.0.0.2 448 13% relays.osirusoft.com:127.0.0.3 422 13% Top list (dynablock.wirehub.net) 1199 36% Top 2 lists combined 1647 49% (+ 13%) Top 3 lists combined 1719 51% (+ 2%) Top 4 lists combined 1742 52% (+ 1%) Top 5 lists combined 1752 52% (+ 0%) All 6 lists combined 1770 53% (+ 1%)
Keep in mind that the blacklists defined by
dnslist.denied are checked each time someone connects to your VolanoChat server. Since each of DNS lookup may take a few seconds, you want to keep this list to a minimum, since it can add a delay to the time it takes each visitor to connect. The blacklists defined by
dnslist.dynamic, on the other hand, are used only when a monitor bans a visitor.
|XHTML 1.0||Table of Contents|