Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Warren Kumari <warren@kumari.net> Sun, 01 January 2017 00:32 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930EC129472 for <dnsop@ietfa.amsl.com>; Sat, 31 Dec 2016 16:32:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwmGRY9JPxqh for <dnsop@ietfa.amsl.com>; Sat, 31 Dec 2016 16:32:06 -0800 (PST)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037681295FB for <dnsop@ietf.org>; Sat, 31 Dec 2016 16:32:05 -0800 (PST)
Received: by mail-qt0-x22d.google.com with SMTP id c47so419776483qtc.2 for <dnsop@ietf.org>; Sat, 31 Dec 2016 16:32:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bqK/Lfk+EreXu3ZoSh1O7yqzEBPqyCUpwh1HXS2mDf0=; b=iYWEK4QzMIMcUhwYHuU47EYyKPw0KBnN3vrFPiOGLTghGsK/z+UIHO2CfUANpZONvx q0aoAdHOkGeXZjcSu4NfvYkYwZGU2OoV+WW0br7XtukpcYz9c2TACwuuBFoNTkOygTZ4 mdX51ozrp/eiuu91Rfd9QVloxYJbt9eyMQp3f1M8/zXtN0sYf5gDFeF4yB5/MLZoG8iC n8KNzqz4V1JM1Sb7OcT5HnljJxYRu4NiSu/QidHOWkT4Tb00Ul744PGzziUN4LgqMx42 wvVm+hUVkqevJ5o0wVGxKS/R7Bq6YyxJTk2Sqnm/QRbmb+Jkuqdq8+YRmVHKgAaWUBSN wk5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bqK/Lfk+EreXu3ZoSh1O7yqzEBPqyCUpwh1HXS2mDf0=; b=LOWezRzforwYteXWqzVRJcDj4lfQ2YkJ/lJx6DkgCwKlC6tx66R0pDnkQOZPFkl9Sl 8T7ii1oKbx6OT/wYYWF1K7tmDb592jS2cbOlMULNed/oYA4bz4NIvziyxzSRW7xFSuw7 jv8TgDHpZqkRWr0mkm3s3s/2Y6Fc9MIOjU7LiWO6/jdT4T1PTmWhssy+hdwDW5qNmobp m7QnTnpRXYYGiYwNfsf3A0IUjudpt1xIGKOlsc0ldY2gCdZItucVPcwUJYfQcsWzOSop Mzn9sSUldJpcXxD5j5bI+FkMdTvdIeoh5gzNQ+UyIC2l/YKHDKNq3nKo3z1M9inXBnhA iaIw==
X-Gm-Message-State: AIkVDXKH7d6gIZQeJS74P633qu9mHPGWHN2Hg3GKiaNedlEwoT0hTgtPrBGP3r8vBRR9M5x3HQaQppzb82rY3P1x
X-Received: by 10.200.42.179 with SMTP id b48mr52659112qta.246.1483230717395; Sat, 31 Dec 2016 16:31:57 -0800 (PST)
MIME-Version: 1.0
References: <20161229040637.GA26031@odin.ulthar.us> <20161229054559.31443.qmail@ary.lan> <20161231202731.GX13486@mournblade.imrryr.org> <5932AEFF-E099-4175-A4FB-B1D7418028FF@fugue.com> <CAHw9_iKgHLyD9u2jtUGwLu73yUGQQ7JSfXJw72V8pgyvmDw4jw@mail.gmail.com> <20170101000636.GA15754@jurassic>
In-Reply-To: <20170101000636.GA15754@jurassic>
From: Warren Kumari <warren@kumari.net>
Date: Sun, 01 Jan 2017 00:31:46 +0000
Message-ID: <CAHw9_i+duoa8ZnPzgS20vWGPo0N1KyG_rogWHuTm2xuxa2Qktg@mail.gmail.com>
To: Mukund Sivaraman <muks@isc.org>
Content-Type: multipart/alternative; boundary="001a1140435808066e0544fd9068"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ANh2h1hMVc6d3GZ9y-Htecey2aQ>
Cc: dnsop <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2017 00:32:07 -0000

On Sat, Dec 31, 2016 at 7:06 PM Mukund Sivaraman <muks@isc.org> wrote:

> On Sat, Dec 31, 2016 at 11:32:02PM +0000, Warren Kumari wrote:
> > P.S / full-disclosure: I happen to use RPZ, and have for a number of
> years
> > -- I run a number of (personal) mailing lists on my own mailserver, and
> use
> > a number of RPZ feeds (e.g Spamhaus' DBL) for spam mitigation.
>
> Are you thinking of DNSBL instead of RPZ?
>

Nope.
This is an older page, but has more readable information:
https://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone-rpz
More info:
https://www.spamhaustech.com/protecting-networks/security-solutions/dns-rpz/rpz-zone-transfer/


root@vimes:/etc/namedb/rpz# wc -l ~/tmp/rpz.spamhaus.org.text
3316563 /home/wkumari/tmp/rpz.spamhaus.org.text

This contains things like:
smalbany.academy.rpz.spamhaus.org.            300 IN CNAME      .
*.smalbany.academy.rpz.spamhaus.org.          300 IN CNAME      .

My named.conf contains:
   response-policy {
       # Rewrite all responses to blackhole.ne-where.com, which is 127.0.0.2
       zone "rpz.spamhaus.org" policy CNAME blackhole.ne-where.com;
      };

and then I have a postfix access file:
root@vimes:/etc/postfix# more access
# REMEMBER: Run  postmap hash:/etc/postfix/access to rebuild this.
#
# THIS FILE MANAGED BY PUPPET!

192.0.2.1   REJECT This domain is listed in an RPZ zone.
127.0.0.200   REJECT This domain is listed in an RPZ zone.


(yup, the comments are wrong...)
This has been working nicely for me with (so far) no false positives.
Because I have the RPZ zone locally I'm not leaking private info by doing
DBL lookups, it is nice and fast, etc...
It cut down on my sysadmin work drastically, and I ended up disabling
spamassassin because it wasn't needed any more...

W


>
>                 Mukund
>