RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Shane Kerr shane at isc.org
Fri Sep 20 09:38:45 UTC 2013 

Noel,

On 2013-09-20 12:48:31 (Friday)
Noel Butler <noel.butler at ausics.net> wrote:

> On Fri, 2013-09-20 at 01:59 +0000, Vernon Schryver wrote:

> > > plenty of delayed mail -  hostname lookup failures (mostly because of
> > > URI/DNS BL's), so it certainly works as intended :)
> > 
> > That sounds unrelated to RRL.  Again, RRL affects standards compliant
> > DNS clients no more than a 50% packet loss rate on the path from the
> > DNS client and to the server.  If your mail system suffered hostname
> > lookup failures, then I think something else was broken.

With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
fail, right? If you've got enough legitimate lookups going on to
trigger RRL then you're going to get lots of failures.

One workaround for this is to set SLIP to 1. I know Vernon recommends
against that, but personally I don't think there is any downside.
 
> Nope, either way, daemon.log was filling up with messages indicating
> RRL, last time I tried, Aug 29,
> 
> lots of  
> limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org , 
> limit NXDOMAIN responses to xxxxxx/24 for xxx.net 
> 
> pretty much one for every DNSBL, URIBL etc used.... 

This doesn't indicate that anything actually failing for the querying
hosts, just that they are issuing a lot of queries.

> The problem occurred within a minute of enabling RRL, and ended right
> after disabling RRL.
> on that date, log files show the version was actually BIND 9.9.4rc1
> 
> Now I've read your link, I can perhaps understand more the options and
> fine tune it, but bout to head out for lunch so, might pla around later
> this afternoon.

I think the actual issue is that for DNS IP blacklists (or whitelists)
RRL is probably harmful. Many or even most queries to those servers
will result in the same NXDOMAIN response. This is expected and desired
behavior, but RRL interprets this as potential abuse.

While the fallback to TCP (combined with my recommendation of SLIP 1
above) will mean that service will continue without problem, one reason
that DNS was chosen for such services is that it is very lightweight,
and forcing traffic to TCP is an anti-goal. :)

Probably you should disable RRL for servers that are primarily used for
IP-based blacklists (or whitelists).

Cheers,

--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130920/0d825c5f/attachment.bin>

More information about the bind-users mailing list