RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Simon Forster
forster at spamteq.com
Mon Sep 23 17:14:38 UTC 2013
On 23 Sep 2013, at 15:59, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Eliezer Croitoru <eliezer at ngtech.co.il>
>
>>> Major DNSBL providers have years since limited anonymous clients for
>>> business or other reasons. For example, I think Spamhaus limits
>>> anonymous clients to fewer than 3 queries/second.
>
>> and I doubt they use RRL in the application level..
>
>> I assume they limit that on either IPTABLES\FW level.
>
> The only technical reason I know that might stop Spamhaus and the
> Spamhaus mirrors from using RRL to throttle anonymous DNSBL clients
> is the lingering enthusiasm for RBLDNSD and rsync in the DNSBL community.
> RBLDNSD+rsync made sense before the (de facto standard) DNS protocol
> had incremental zone transfers and updates. It is a bug today.
> That use of RBLDNSD+rsync has become a serious problem. Among the
> problems it causes are:
>
> - IPv6 DNS server caches
> If IXFR were used to distribute DNSBL data, then wildcards
> for cover entire CDIR blocks (both IPv4 and IPv6) could be
> published and there would be no IPv6 cache explosion issue.
>
> - Authentication
> RBLDNSD doesn't support DNSSEC, so that any of the many men
> in the middle between small DNSBL clients and the servers
> they use can "improve" passing DNSBL data.
>
> I know nothing about how Spamhaus and the Spamhaus DNSBL mirrors control
> access, but I doubt they use firewalls except to completely block
> persistently abusive clients. Firewalls trying to rate limit need to
> keep state, and stateful firewalls are infamous for collapsing under
> the weight of irrelevant state when someone tries to apply them to
> this kind of problem.
>
>
>> What is the way to provide DBSBL using bind??
>
> BIND and other full featured DNS implementations are used to answer
> DNSBL requests as well as requests for records in larger and more
> frequently changing DNS zones than any of the DNSBLs. Consider what
> happens in the major gTLDs today. Things have changed since RBLDNSD
> appeared and when a change to example.com took weeks.
>
> Consider the fact that some Spamhaus DNSBL zones are available as RPZ
> zones. See https://www.google.com/search?q=dns+rpz
Some, not all.
As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs):
1) What needs to be done to rewrite that to a BIND zone?
2) What sort of machine would be required to load that zone?
3) How long would it take to load into BIND?
TIA
Simon
>> I was looking for something like that but I am sure a dynamic DB is
>> needed for the task right?
>
> Large DNSBLs are not very dynamic, because they have relatively few
> changes per day. From another perspective, with the popularity of
> dynamically updating forward and reverse DNS zones as end-user IP
> addresses changes, why isn't the the machinery in any full featured
> DNS implementation a "dyanamic DB"? The term "database" should not
> imply "sql" or even "relational."
>
>
> Vernon Schryver vjs at rhyolite.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130923/21364c61/attachment-0001.bin>
More information about the bind-users
mailing list