Skip to content

Tag: dns blacklist

Monitor DNS blacklist entries with Zabbix

One of the smaller projects I’ve been working on lately is monitoring Realtime DNS Blacklists (RBL’s) status with Zabbix. I’m confident most of you are already familiar with RBL’s. For those who are not, here’s a small introduction shamelessly stolen from Wikipedia:

A DNSBL (DNS-based Blackhole  List, Block List, or Blacklist; see below) is a list of IP addresses published through the Internet Domain Name Service in a particular format. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server  software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

And that’s exactly what we’re going to monitor. If we are listed on one of those RBL’s we’d like to know about it, don’t we? 

Let’s get to it then. First of all we need an up to date list of RBL’s which we can use to check whether we’re listed or not. You could try the list I’m maintaining and using for my own monitoring purposes. The most recent version can be found here. It contains a whopping 92 RBL’s to get you started with.

Now that we have an up-to-date list of common used RBL’s it’s time for some shell scripting:

#!/bin/bash

## TomDV
## 2010-01-25
## http://blog.penumbra.be/2010/02/zabbix-monitor-dns-blacklists/

cd /usr/share/zabbix/
RBL="`cat rbl_list.txt`"

W=$( echo ${1} | cut -d. -f1 )
X=$( echo ${1} | cut -d. -f2 )
Y=$( echo ${1} | cut -d. -f3 )
Z=$( echo ${1} | cut -d. -f4 )

STATUS=0

for i in $RBL
do
    RESULT=$( host -t a $Z.$Y.$X.$W.$i 2>&1 )
    if [ $? -eq 0 ]
    then
        #echo “The IP ADDRESS ${1} is listed at $i:\n$RESULT” ## DEBUG
        let "STATUS += 1"
    fi
    #echo $RESULT ## DEBUG
done

if [ $STATUS -lt 1 ]
then
    echo 0
else
    echo $STATUS
fi

This script takes the IP address of your server as input.

I’ve intentionally left the debug code inside the script. This way the output can be used right away within Zabbix. However if you’re listed on one of the blacklists you can run the script with the debug code uncommented and you get a list of all the RBL’s you’re listed in.

I’ve put this script in /usr/share/zabbix, along with the rbl_list.txt file you can find above.

# cat /etc/zabbix/zabbix_agent.d/rbl.conf
UserParameter=rbl.mx1,/usr/share/zabbix/zabbix-rbl.sh 1.2.3.4
UserParameter=rbl.mx2,/usr/share/zabbix/zabbix-rbl.sh 5.6.7.8

I also have the following line in /etc/zabbix/zabbix_agentd.conf and /etc/zabbix/zabbix_agent.conf to load custom config files:

Include=/etc/zabbix/zabbix_agent.d/

And that’s about it. Let’s see if we’re listed in any of the RBL’s:

# zabbix_agent -t rbl.mx1; zabbix_agent -t rbl.mx2;
rbl.mx1                                    [t|0]
rbl.mx2                                    [t|0]

Any value above zero means you’re listed. I guess we’re safe.
If you’re listed just uncomment the debug code. It will show you which RBL’s you’re in.

Happy monitoring! 🙂