View Issue Details

IDProjectCategoryView StatusLast Update
0006321unrealircdpublic2023-11-20 17:21
ReporterBlackBishop Assigned Tosyzop  
Status closedResolutionunable to duplicate 
Summary0006321: dnsbl checks not done for webirc user
DescriptionFor some reason I have a webirc client that uses tor which connects via ipv6 and doesn't get detected by the dnsbl...
Additional InformationConnection logs:

19:57:01 -- connect.LOCAL_CLIENT_CONNECT [info] Client connecting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] [vhost: 2D604648:55365998:81704A2A:IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: DE] [reputation: 0] [security-groups: unknown-users,uknwnu,webirc-users,tls-and-known-users,tls-users]
20:02:26 -- connect.LOCAL_CLIENT_DISCONNECT [info] Client exiting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] (
20:02:30 -- connect.LOCAL_CLIENT_CONNECT [info] Client connecting: thelounge76 (thelounge@2a0b:f4c1:2::254) [2a0b:f4c1:2::254] [vhost: 2D604648:55365998:81704A2A:IP] [class: clients] [secure: TLSv1.3-TLS_CHACHA20_POLY1305_SHA256] [country: DE] [reputation: 1] [security-groups: unknown-users,uknwnu,webirc-users,tls-and-known-users,tls-users]
20:03:08 -- blacklist.BLACKLIST_HIT [info] [Blacklist] IP matches blacklist torexit (

Relevant configuration:

blacklist torexitdan {
  dns {
    type record;
    reply { 100; };
  action gline;
  ban-time 365d;
  reason "TOR exit node detected. We value your privacy but there is no reason to hide here.";

security-group uknwnu {
  security-group { unknown-users; };

set {
  anti-flood {
    unknown-users {
      nick-flood 2:60;
      join-flood 2:90;
      away-flood 4:120;
      invite-flood 2:60;
      knock-flood 2:120;
      max-concurrent-conversations {
        users 4;
        new-user-every 15s;
      lag-penalty 1000;
      lag-penalty-bytes 90;
    channel {
      profile very-strict { flood-mode "[7c#C15,10j#R10,10k#K15,30m#M10,10n#N15]:15"; };
      profile strict { flood-mode "[7c#C15,15j#R10,10k#K15,40m#M10,10n#N15]:15"; };
      profile normal { flood-mode "[7c#C15,30j#R10,10k#K15,40m#M10,10n#N15]:15"; };
      profile relaxed { flood-mode "[7c#C15,45j#R10,10k#K15,60m#M10,10n#N15]:15"; };
      profile very-relaxed { flood-mode "[7c#C15,60j#R10,10k#K15,90m#M10,10n#N15]:15"; };
      default-profile strict;
      boot-delay 75;
      split-delay 75;
webirc {
        password "somepassword";

I do see some dnslooksups being done in my own dnsbl so I assume the rest are also done...

Manual dig tests.. A Record: TXT Record: "N:Digitalcourage4ip7a/P:443/F:EFGHRSDV"
TagsNo tags attached.
3rd party modules



2023-07-30 13:05

reporter   ~0022983

Seems it happens for ipv4 too. Makes sense.

So are webirc clients excepted from dnsbl checks?


2023-07-30 13:21

reporter   ~0022984

It seems that not webirc itself is excepted but the fact that the connection is done on
So the dnsbl checks happen before the actual ip is resolved rather than after!


2023-07-30 13:28

reporter   ~0022985

Moved webirc connection to
All is well now but still, unexpected/undocumented.


2023-08-15 09:25

administrator   ~0022990

Last edited: 2023-08-15 09:26

The way it is supposed work is this:
1) When a new TCP/IP connection comes in, we start doing blacklist checks. If that IP is exempted, then we don't.
2) When we receive a WEBIRC command with the new IP, we run blacklist checks again on that new IP. Only if that new IP is exempted, we don't.

You are saying step 2 does not work well?
I recently changed some things with regards to what checks are done when in 6.1.1, and I believe I changed the way calls are made upon ip changes in a more generic way so it is used by things other than webirc too like forward headers. It could be that something went wrong there. What unrealircd version are you on?


2023-08-15 09:28

administrator   ~0022991

Could you double check with tcpdump? Like 'tcpdump -i XXX port 53' where XXX is the interface towards your DNS server, eg 'lo' or 'ens3' or the like.
Then connect a web client... you will see the DNS requests... :)
Recommend to do at a quiet moment though, when not 5 others are connecting.


2023-08-15 10:44

reporter   ~0022998

I'm on
I remember looking at that time and everything worked.
The interesting thing is that I only changed to and suddenly all was ok!


2023-09-09 09:28

administrator   ~0023015

Works fine for me. Can you do like I asked in previous comment? Thanks!

Issue History

Date Modified Username Field Change
2023-07-29 19:17 BlackBishop New Issue
2023-07-30 13:05 BlackBishop Note Added: 0022983
2023-07-30 13:21 BlackBishop Note Added: 0022984
2023-07-30 13:28 BlackBishop Note Added: 0022985
2023-08-15 09:25 syzop Note Added: 0022990
2023-08-15 09:26 syzop Note Edited: 0022990
2023-08-15 09:28 syzop Note Added: 0022991
2023-08-15 09:29 syzop Assigned To => syzop
2023-08-15 09:29 syzop Status new => feedback
2023-08-15 10:44 BlackBishop Note Added: 0022998
2023-08-18 07:27 syzop Summary ipv6 tor client doesn't get detected by dnsbl => dnsbl checks not done for webirc user
2023-09-09 09:28 syzop Note Added: 0023015
2023-11-20 17:21 syzop Status feedback => closed
2023-11-20 17:21 syzop Resolution open => unable to duplicate