HELP: Decomissioning a DNS anti-spam list

Ronald F. Guilmette rfg at monkeys.com
Fri Mar 19 20:34:02 UTC 2004 


As some of you may know, up until last September, I ran a couple of
DNS-based anti-spam lists.  As some of you may also know, I ceased
doing back in September, because I was DDoS'd by what I can only
assume must have been spammers.

Anyway, I posted (in various places) an announcement back in September
that I was shutting down my lists, and I posted a final ``end of life''
announcement for the lists also about a month and a half ago.

No, finally, I am _really_ trying to perform final decommissioning of
my formed anti-spam DNS lists.  (But as the old saying goes, ``No good
deed goes unpunished.'')

The problem is that no matter what I do, I cannot seem to stop the
ongoing torrent of queries against the zones, which are coming from
literally thousands of different sites:

XX /140.105.16.62/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
XX /206.13.30.10/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
XX /216.17.138.239/219.206.32.204.proxies.monkeys.com/PTR/IN/E
XX /212.101.192.70/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
XX /206.13.30.27/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
XX /206.222.1.3/214.133.43.217.formmail.relays.monkeys.com/A/IN/E
XX /206.222.1.3/214.133.43.217.proxies.relays.monkeys.com/A/IN/E
XX /140.239.96.4/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /68.156.116.28/246.66.98.24.proxies.monkeys.com/PTR/IN/E
XX /213.131.64.2/82.170.67.66.formmail.relays.monkeys.com/A/IN/E
XX /213.131.64.2/82.170.67.66.proxies.relays.monkeys.com/A/IN/E
XX /198.216.32.3/237.168.92.67.proxies.relays.monkeys.com/A/IN
XX /140.239.96.4/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
XX /200.21.139.9/204.78.41.213.proxies.relays.monkeys.com/A/IN/E
XX /216.17.138.239/219.206.32.204.formmail.monkeys.com/PTR/IN/E
XX /200.152.96.5/116.142.230.195.proxies.relays.monkeys.com/A/IN
XX /216.144.34.125/137.251.62.66.formmail.relays.monkeys.com/A/IN
XX /216.144.34.125/137.251.62.66.proxies.relays.monkeys.com/A/IN
XX /212.174.99.12/181.185.233.200.proxies.relays.monkeys.com/A/IN
XX /196.25.96.130/52.141.112.82.proxies.relays.monkeys.com/PTR/IN
XX /212.174.99.12/142.111.215.81.proxies.relays.monkeys.com/A/IN
XX /216.74.18.36/107.77.8.67.proxies.relays.monkeys.com/A/IN
XX /207.228.8.7/163.164.63.66.formmail.relays.monkeys.com/A/IN
XX /63.148.157.4/69.43.70.64.proxies.relays.monkeys.com/A/IN
XX /207.228.8.7/163.164.63.66.proxies.relays.monkeys.com/A/IN
XX /62.53.231.14/149.126.213.66.proxies.relays.monkeys.com/ANY/IN
XX /68.156.116.28/246.66.98.24.formmail.monkeys.com/PTR/IN/E
XX /64.55.216.5/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
XX /217.20.160.162/2.142.207.64.proxies.relays.monkeys.com/AAAA/IN/E
XX /216.74.18.35/124.25.173.67.proxies.relays.monkeys.com/A/IN
XX /216.220.96.3/114.133.8.201.formmail.relays.monkeys.com/A/IN/E
XX /209.164.29.37/5.140.182.207.proxies.relays.monkeys.com/A/IN/E
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /64.55.216.5/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
XX /66.153.44.26/31.248.148.216.proxies.relays.monkeys.com/A/IN
XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
XX /212.101.192.71/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
XX /140.105.17.182/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
...
and on and on, ad infinitum.

I have _very little_ bandwidth at my disposal, and now I need to reclaim
that bandwidth for other purposes.  But these ongoing queries are sucking
up more than half of the meager bandwidth that I have.

I have tried everything that I can think of to stop this flood of
bogus queries already, and nothing has worked.  Nothing I have tried
has even had any noticable effect.  I've tried setting the relevant
NS records to point into oblivion (specifically into the 224/8 space).
I have also tried pointing the NS records back to the very same name
servers elsewhere that are the most frequent ongoing troublemakers,
i.e. most frequent queriers of my defunct anti-spam zones.  Now I am
trying the following NS record:

*.relays.monkeys.com.	IN	NS	localhost.monkeys.com.

where `localhost.monkeys.com' resolves to 127.0.0.1 (in the hopes that
those name servers that are annoying me now will end up just querying
themselves, instead of me) but so far even this doesn't seem to be
working very well.

Oh!  And I should mention that I also tried this:

*.relays.monkeys.com.	IN	A	127.0.0.2
			IN	TXT	"See http://www.monkeys.com/dnsbl/"

i.e. ``blacklist the Universe'', but even that only produced very limited
success in terms of getting people to stop sending queries here for the
dead and defunct anti-spam zones.

So can anybody help me with this?  There has GOT to be some way of de-
commissioning a zone such that further queries against the zone will not
be a huge burden on _my_ bandwidth.  I just need somebody to tell me
what it is.

Or is this impossible?  Is the design of the DNS protocol so ill-conceived
as to make this kind of decomissioning impossible?

Please help me, and educate me.

More information about the bind-users mailing list