HELP: Decomissioning a DNS anti-spam list

Robert Wessel robertwessel2 at yahoo.com
Sat Mar 20 03:23:49 UTC 2004 

"Ronald F. Guilmette" <rfg at monkeys.com> wrote in message news:<c3fvk8$1qg5$1 at sf1.isc.org>...
> As some of you may know, up until last September, I ran a couple of
> DNS-based anti-spam lists.  As some of you may also know, I ceased
> doing back in September, because I was DDoS'd by what I can only
> assume must have been spammers.
> 
> Anyway, I posted (in various places) an announcement back in September
> that I was shutting down my lists, and I posted a final ``end of life''
> announcement for the lists also about a month and a half ago.
> 
> No, finally, I am _really_ trying to perform final decommissioning of
> my formed anti-spam DNS lists.  (But as the old saying goes, ``No good
> deed goes unpunished.'')
> 
> The problem is that no matter what I do, I cannot seem to stop the
> ongoing torrent of queries against the zones, which are coming from
> literally thousands of different sites:
> 
> XX /140.105.16.62/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
> XX /206.13.30.10/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
> XX /216.17.138.239/219.206.32.204.proxies.monkeys.com/PTR/IN/E
> XX /212.101.192.70/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
> XX /206.13.30.27/68.200.213.209.proxies.relays.monkeys.com/A/IN/E
> XX /206.222.1.3/214.133.43.217.formmail.relays.monkeys.com/A/IN/E
> XX /206.222.1.3/214.133.43.217.proxies.relays.monkeys.com/A/IN/E
> XX /140.239.96.4/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
> XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
> XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
> XX /68.156.116.28/246.66.98.24.proxies.monkeys.com/PTR/IN/E
> XX /213.131.64.2/82.170.67.66.formmail.relays.monkeys.com/A/IN/E
> XX /213.131.64.2/82.170.67.66.proxies.relays.monkeys.com/A/IN/E
> XX /198.216.32.3/237.168.92.67.proxies.relays.monkeys.com/A/IN
> XX /140.239.96.4/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
> XX /200.21.139.9/204.78.41.213.proxies.relays.monkeys.com/A/IN/E
> XX /216.17.138.239/219.206.32.204.formmail.monkeys.com/PTR/IN/E
> XX /200.152.96.5/116.142.230.195.proxies.relays.monkeys.com/A/IN
> XX /216.144.34.125/137.251.62.66.formmail.relays.monkeys.com/A/IN
> XX /216.144.34.125/137.251.62.66.proxies.relays.monkeys.com/A/IN
> XX /212.174.99.12/181.185.233.200.proxies.relays.monkeys.com/A/IN
> XX /196.25.96.130/52.141.112.82.proxies.relays.monkeys.com/PTR/IN
> XX /212.174.99.12/142.111.215.81.proxies.relays.monkeys.com/A/IN
> XX /216.74.18.36/107.77.8.67.proxies.relays.monkeys.com/A/IN
> XX /207.228.8.7/163.164.63.66.formmail.relays.monkeys.com/A/IN
> XX /63.148.157.4/69.43.70.64.proxies.relays.monkeys.com/A/IN
> XX /207.228.8.7/163.164.63.66.proxies.relays.monkeys.com/A/IN
> XX /62.53.231.14/149.126.213.66.proxies.relays.monkeys.com/ANY/IN
> XX /68.156.116.28/246.66.98.24.formmail.monkeys.com/PTR/IN/E
> XX /64.55.216.5/216.213.229.217.proxies.relays.monkeys.com/A/IN/E
> XX /217.20.160.162/2.142.207.64.proxies.relays.monkeys.com/AAAA/IN/E
> XX /216.74.18.35/124.25.173.67.proxies.relays.monkeys.com/A/IN
> XX /216.220.96.3/114.133.8.201.formmail.relays.monkeys.com/A/IN/E
> XX /209.164.29.37/5.140.182.207.proxies.relays.monkeys.com/A/IN/E
> XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
> XX /64.55.216.5/53.43.174.200.proxies.relays.monkeys.com/A/IN/E
> XX /66.153.44.26/31.248.148.216.proxies.relays.monkeys.com/A/IN
> XX /168.243.42.248/23.255.102.194.proxies.relays.monkeys.com/A/IN
> XX /212.101.192.71/10.215.3.217.proxies.relays.monkeys.com/A/IN/E
> XX /140.105.17.182/51.30.135.194.proxies.relays.monkeys.com/A/IN/E
> ...
> and on and on, ad infinitum.
> 
> I have _very little_ bandwidth at my disposal, and now I need to reclaim
> that bandwidth for other purposes.  But these ongoing queries are sucking
> up more than half of the meager bandwidth that I have.
> 
> I have tried everything that I can think of to stop this flood of
> bogus queries already, and nothing has worked.  Nothing I have tried
> has even had any noticable effect.  I've tried setting the relevant
> NS records to point into oblivion (specifically into the 224/8 space).
> I have also tried pointing the NS records back to the very same name
> servers elsewhere that are the most frequent ongoing troublemakers,
> i.e. most frequent queriers of my defunct anti-spam zones.  Now I am
> trying the following NS record:
> 
> *.relays.monkeys.com.	IN	NS	localhost.monkeys.com.
> 
> where `localhost.monkeys.com' resolves to 127.0.0.1 (in the hopes that
> those name servers that are annoying me now will end up just querying
> themselves, instead of me) but so far even this doesn't seem to be
> working very well.
> 
> Oh!  And I should mention that I also tried this:
> 
> *.relays.monkeys.com.	IN	A	127.0.0.2
> 			IN	TXT	"See http://www.monkeys.com/dnsbl/"
> 
> i.e. ``blacklist the Universe'', but even that only produced very limited
> success in terms of getting people to stop sending queries here for the
> dead and defunct anti-spam zones.
> 
> So can anybody help me with this?  There has GOT to be some way of de-
> commissioning a zone such that further queries against the zone will not
> be a huge burden on _my_ bandwidth.  I just need somebody to tell me
> what it is.
> 
> Or is this impossible?  Is the design of the DNS protocol so ill-conceived
> as to make this kind of decomissioning impossible?
> 
> Please help me, and educate me.


Try claiming that the NS for relays.monkeys.com is in 224/8, and with
a nice long TTL.  Something like the following in the zone db file for
the monkeys.com name server:

  relays 604800 IN NS blackhole.monkeys.com
  blackhole.monkeys.com. 604800 IN A 224.0.0.1

More information about the bind-users mailing list