Project

General

Profile

mod_dnsblacklist

Added by lucaercoli over 14 years ago

Hi,
i developed a module called mod_dnsblacklist.
Is a plugin that use DNSBL in order to block spam relay via web forms,
preventing URL injection, block http DDoS attacks from bots and generally
protecting your web service denying access to a known bad IP address.
More information can be found on my website:

http://www.lucaercoli.it/en/mod_dnsblacklist.html

I hope it will be useful.

regards,
Luca Ercoli


Replies (7)

RE: mod_dnsblacklist - Added by icy over 14 years ago

It should be noted that this module is licensed under GPL v2 (or later).

I appretiate your effort but this module uses gethostbyname() which is a blocking way to do dns lookups. It can take quite some time during which lighty is completely locked and can't do anything else. This could cause major problems.

I recommend doing these lookups and blocking in your backend (e.g. PHP).

RE: mod_dnsblacklist - Added by lucaercoli over 14 years ago

Thanks for the advice, i modified the plugin code.
Using the functions of the query resolver i set a maximum timeout period of 1 second for the query to the DNS.
The new version is available on my website.

regards,
Luca Ercoli

RE: mod_dnsblacklist - Added by nitrox over 14 years ago

Ok, so you´re blocking lighty for max. 1s now - that sounds as an improvement :-)

RE: mod_dnsblacklist - Added by lucaercoli over 14 years ago

Thank you for the appreciation.
I think that proceed with the request within one second if the DNS does not respond is enough. Moreover, if a server has DNS problems then a lighttpd plugin it's the last thing to think about ;)

thanks again,
Luca Ercoli

RE: mod_dnsblacklist - Added by nitrox over 14 years ago

As icy said, you better want this as e.g. fastcgi module, even 1s will be notable there. Sure if lookups are cached it should be faster but they also have a ttl of ~86400s, so once a day most lookups need to be done again. And tho a module might be more generic, a fastcgi´ed version should be considered here.

RE: mod_dnsblacklist - Added by lucaercoli over 14 years ago

Don't worry i will implement support for the cache in the next version.
Right now if you manage a very heavy loaded server you can use a local rbldnsd instance.
"dnsblacklist.host" directive will allow you to do this.

RE: mod_dnsblacklist - Added by stbuehler about 14 years ago

I guess it will be useful to some people, so just as a final note why this is not the right way to do it in general:
lighttpd is single threaded, and will handle all requests with this one thread. If you "block one request for 1 second", you block all requests for 1 second.
Now it may be "difficult" to get many IPv4 addresses to cause a DDoS (each new address will block lighttpd for some time), when it comes to IPv6 you are doomed (I didn't look at your patch and I guess you don't support IPv6 anyway, but just as a thought).
So the real solution would be to do the DNS lookup asynchronous, which either requires you to do the lookup in another thread/process or have an async DNS lookup implementation which you can hook into lighttpds event system.

    (1-7/7)