[RndTbl] PSA: be careful with block lists!

[Alberto Abrao]

Hello everyone,

TL;DR: make sure to whitelist mission-critical IPs when using block lists.

I am writing to report on a situation that happened last week, hoping my 
experience can be of use to others.

A few days ago, I noticed that I was not able to send e-mails. No 
domains were being recognized by the mail server.

Weird. We shall check, then.

There, I noticed that DNS was not working. I had CloudFlare's 1.1.1.1 
set up. Weirder.

As some here may know, I use a OpenBSD box as a transparent bridge, with 
some block lists that aim to filter traffic from botnets and other 
not-so-desirable sources.

Now, my internal network does not use 1.1.1.1, so it was working without 
issue.

After some fizzling around, it ended up being that, at one point, 
1.1.1.1 was on a block list, promptly downloaded and blocked by the 
transparent bridge. Thus, no hosts on my internal network could reach 
out to it.

Whitelist it, done.

Or not: this morning, Adam lets me know that MUUG is unable to send me 
e-mails, which are being promptly spat out by my naughty mail server. 
Who dares to do that to our most glorious group? Bad, bad server. No 
donut for you.

Now, to the fallout of the DNS issue: my server receives an e-mail, 
can't resolve source domain. "It must be junk", it thinks. Fail2ban pops 
in and bans the "offending" IP. I fixed the DNS issue... however, the 
fail2ban database was already full of legitimate domains it could not 
resolve because of said issue.

No wonder my mailbox was eerily quiet for the last few days...

Kind regards,
Alberto Abrao