On 15/10/2021 23:22, Paul Gregg via mailop wrote:
On 10/4/21 18:52, Leandro Santiago via mailop wrote:Hi list,How feasible to you folks think having a DNSBL server that accepts only connections from a group of IP is? By that I mean that the server will accept (UDP) DNS requests from an "allow list", refusing requests from anyone else (basically answering "nothing" from any dns question from other IP addresses). I am using the IP from the UDP request packet to perform the "authentication". This is for a DNSBL which is not supposed to be public, although the DNS server is accessible publicly on the internet. I want to keep the DNSBL "spec", so for a request: A 44.33.22.11.myserver.example.com. I'll answer, in case 11.22.33.44 is "blocklisted": A 127.0.0.2Sorry for the late reply. The trick to this is not to limit by IP address - but to implement service (API) keys. e.g. each authorised user is given a key e.g. sj3Fa3Gomd937Z12 Then they make queries for 44.33.22.11.sj3Fa3Gomd937Z12.myserver.example.com. That way you don't care what IP it comes from, but you know who it is.
Nice trick. :)Unfortunately, it seems that it would require modifications to e.g. postfix, or other software, in order to add that identifying string to the DNS query. Still an idea to keep in mind. Because of how DNS works, the source IP address isn't available anyway in a usual, unmodified postfix DNS query.
Cheers, Nico
OpenPGP_0x23459069119D37B6.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
