View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006321 | unreal | ircd | public | 2023-07-29 19:17 | 2023-09-09 09:28 |
| Reporter | BlackBishop | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | feedback | Resolution | open | ||
| Summary | 0006321: dnsbl checks not done for webirc user | ||||
| Description | For some reason I have a webirc client that uses tor which connects via ipv6 and doesn't get detected by the dnsbl... | ||||
| Additional Information | Connection logs: 19:57:01 -- irc.d3x.ro: connect.LOCAL_CLIENT_CONNECT [info] Client connecting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] [vhost: 2D604648:55365998:81704A2A:IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: DE] [reputation: 0] [security-groups: unknown-users,uknwnu,webirc-users,tls-and-known-users,tls-users] 20:02:26 -- irc.d3x.ro: connect.LOCAL_CLIENT_DISCONNECT [info] Client exiting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] (https://d3x.ro) 20:02:30 -- irc.d3x.ro: connect.LOCAL_CLIENT_CONNECT [info] Client connecting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] [vhost: 2D604648:55365998:81704A2A:IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: DE] [reputation: 1] [security-groups: unknown-users,uknwnu,webirc-users,tls-and-known-users,tls-users] 20:03:08 -- irc.d3x.ro: blacklist.BLACKLIST_HIT [info] [Blacklist] IP 192.42.116.203 matches blacklist torexit (dnsel.torproject.org/reply=2) Relevant configuration: blacklist torexitdan { dns { name torexit.dan.me.uk; type record; reply { 100; }; }; action gline; ban-time 365d; reason "TOR exit node detected. We value your privacy but there is no reason to hide here."; }; security-group uknwnu { security-group { unknown-users; }; }; set { anti-flood { unknown-users { nick-flood 2:60; join-flood 2:90; away-flood 4:120; invite-flood 2:60; knock-flood 2:120; max-concurrent-conversations { users 4; new-user-every 15s; }; lag-penalty 1000; lag-penalty-bytes 90; }; channel { profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; }; profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; }; profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; }; profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; }; profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; }; default-profile strict; boot-delay 75; split-delay 75; }; }; webirc { mask 127.0.0.1; password "somepassword"; }; I do see some dnslooksups being done in my own dnsbl so I assume the rest are also done... Manual dig tests.. 4.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.c.4.f.b.0.a.2.torexit.dan.me.uk: A Record: 127.0.0.100 4.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.1.c.4.f.b.0.a.2.torexit.dan.me.uk: TXT Record: "N:Digitalcourage4ip7a/P:443/F:EFGHRSDV" | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Seems it happens for ipv4 too. Makes sense. So are webirc clients excepted from dnsbl checks? |
|
|
It seems that not webirc itself is excepted but the fact that the connection is done on 127.0.0.1. So the dnsbl checks happen before the actual ip is resolved rather than after! |
|
|
Moved webirc connection to 127.0.0.2 All is well now but still, unexpected/undocumented. |
|
|
The way it is supposed work is this: 1) When a new TCP/IP connection comes in, we start doing blacklist checks. If that IP is exempted, then we don't. 2) When we receive a WEBIRC command with the new IP, we run blacklist checks again on that new IP. Only if that new IP is exempted, we don't. You are saying step 2 does not work well? I recently changed some things with regards to what checks are done when in 6.1.1, and I believe I changed the way calls are made upon ip changes in a more generic way so it is used by things other than webirc too like forward headers. It could be that something went wrong there. What unrealircd version are you on? |
|
|
Could you double check with tcpdump? Like 'tcpdump -i XXX port 53' where XXX is the interface towards your DNS server, eg 'lo' or 'ens3' or the like. Then connect a web client... you will see the DNS requests... :) Recommend to do at a quiet moment though, when not 5 others are connecting. |
|
|
I'm on 6.1.1.1 I remember looking at that time and everything worked. The interesting thing is that I only changed to 127.0.0.2 and suddenly all was ok! |
|
|
Works fine for me. Can you do like I asked in previous comment? Thanks! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-07-29 19:17 | BlackBishop | New Issue | |
| 2023-07-30 13:05 | BlackBishop | Note Added: 0022983 | |
| 2023-07-30 13:21 | BlackBishop | Note Added: 0022984 | |
| 2023-07-30 13:28 | BlackBishop | Note Added: 0022985 | |
| 2023-08-15 09:25 | syzop | Note Added: 0022990 | |
| 2023-08-15 09:26 | syzop | Note Edited: 0022990 | |
| 2023-08-15 09:28 | syzop | Note Added: 0022991 | |
| 2023-08-15 09:29 | syzop | Assigned To | => syzop |
| 2023-08-15 09:29 | syzop | Status | new => feedback |
| 2023-08-15 10:44 | BlackBishop | Note Added: 0022998 | |
| 2023-08-18 07:27 | syzop | Summary | ipv6 tor client doesn't get detected by dnsbl => dnsbl checks not done for webirc user |
| 2023-09-09 09:28 | syzop | Note Added: 0023015 |
