Skip to content

Monitor DNS blacklist entries with Zabbix

One of the smaller projects I’ve been working on lately is monitoring Realtime DNS Blacklists (RBL’s) status with Zabbix. I’m confident most of you are already familiar with RBL’s. For those who are not, here’s a small introduction shamelessly stolen from Wikipedia:

A DNSBL (DNS-based Blackhole  List, Block List, or Blacklist; see below) is a list of IP addresses published through the Internet Domain Name Service in a particular format. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server  software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

And that’s exactly what we’re going to monitor. If we are listed on one of those RBL’s we’d like to know about it, don’t we? 

Let’s get to it then. First of all we need an up to date list of RBL’s which we can use to check whether we’re listed or not. You could try the list I’m maintaining and using for my own monitoring purposes. The most recent version can be found here. It contains a whopping 92 RBL’s to get you started with.

Now that we have an up-to-date list of common used RBL’s it’s time for some shell scripting:

#!/bin/bash

## TomDV
## 2010-01-25
## http://blog.penumbra.be/2010/02/zabbix-monitor-dns-blacklists/

cd /usr/share/zabbix/
RBL="`cat rbl_list.txt`"

W=$( echo ${1} | cut -d. -f1 )
X=$( echo ${1} | cut -d. -f2 )
Y=$( echo ${1} | cut -d. -f3 )
Z=$( echo ${1} | cut -d. -f4 )

STATUS=0

for i in $RBL
do
    RESULT=$( host -t a $Z.$Y.$X.$W.$i 2>&1 )
    if [ $? -eq 0 ]
    then
        #echo “The IP ADDRESS ${1} is listed at $i:\n$RESULT” ## DEBUG
        let "STATUS += 1"
    fi
    #echo $RESULT ## DEBUG
done

if [ $STATUS -lt 1 ]
then
    echo 0
else
    echo $STATUS
fi

This script takes the IP address of your server as input.

I’ve intentionally left the debug code inside the script. This way the output can be used right away within Zabbix. However if you’re listed on one of the blacklists you can run the script with the debug code uncommented and you get a list of all the RBL’s you’re listed in.

I’ve put this script in /usr/share/zabbix, along with the rbl_list.txt file you can find above.

# cat /etc/zabbix/zabbix_agent.d/rbl.conf
UserParameter=rbl.mx1,/usr/share/zabbix/zabbix-rbl.sh 1.2.3.4
UserParameter=rbl.mx2,/usr/share/zabbix/zabbix-rbl.sh 5.6.7.8

I also have the following line in /etc/zabbix/zabbix_agentd.conf and /etc/zabbix/zabbix_agent.conf to load custom config files:

Include=/etc/zabbix/zabbix_agent.d/

And that’s about it. Let’s see if we’re listed in any of the RBL’s:

# zabbix_agent -t rbl.mx1; zabbix_agent -t rbl.mx2;
rbl.mx1                                    [t|0]
rbl.mx2                                    [t|0]

Any value above zero means you’re listed. I guess we’re safe.
If you’re listed just uncomment the debug code. It will show you which RBL’s you’re in.

Happy monitoring! 🙂

Published inHowto'sLinuxMonitoring

4 Comments

  1. Andrea Andrea

    great post!

    I currently use zabbix to monitor a really large environment (more than 320 servers)

    I’ve founded a wonderful plugin that is more than a plugin and the others monitoring systems don’t have nothing of similar, and nothing that go inside oracle so deeply.

    In the hope that someone found useful my comment

    http://www.smartmarmot.com

    here you are going to find Orabbix opensource and released under GPL3

  2. Oscar Mas Oscar Mas

    When launch the script in debug mode show:

    host: ‘.com.cadinor.mail.wormrbl.imp.ch’ is not a legal name (empty label)
    host: ‘.com.cadinor.mail.xbl.spamhaus.org’ is not a legal name (empty label)
    host: ‘.com.cadinor.mail.zen.spamhaus.org’ is not a legal name (empty label)
    host: ‘.com.cadinor.mail.zombie.dnsbl.sorbs.net’ is not a legal name (empty label)
    0

    Wich is the problem ?

  3. Oscar Mas Oscar Mas

    Stupid question, I can use name DNS, the script use IP.

  4. jumia jumia

    I am using DNS Blacklist monitor software from http://www.blmonitor.net/

    which is powerful and easy

    Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.