Variable SOAs in negative responses
Dave Warren
davew at hireahit.com
Tue Jan 28 21:47:58 UTC 2014
On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:
> On 27.01.14 18:23, John Levine wrote:
>> A friend (really) asks this question: they have some DNSBLs, which get
>> a lot of queries. Sometimes the answer has A or TXT records, meaning
>> the corresponding address is listed in the DNSBL, sometimes it's
>> NXDOMAIN which means the address isn't.
>>
>> For addresses that aren't listed, some of the NXDOMAINs are a lot less
>> likely to change than others, e.g, the address of an outbound mail
>> server at a large mail provider is unlikely ever to be listed, but a
>> random host at a hosting provider in India, who knows. So he'd like
>> to have the TTLs on some of those NXDOMAINs be longer than others, by
>> putting a different TTL in the SOA in the authority section.
>
> If you know those IPs, why do you check them for being listed at all?
John's question was from the point of view of the DNSBL operator. How
would a DNSBL operator stop users of that DNSBL from performing lookups
on certain IPs, and why would they bother?
> If any IP starts spamming, why to give it longer time to appear in the
> blacklists? I don't think this makes sense at all...
Because a lot of IPs simply are not candidates for listing at certain
types of DNSBL sites. "Too big to block" is a thing.
A more straightforward example: If your DNSBL is designed to only list
IPs that are running vulnerable web scripts *and* are not also
legitimate mail servers, then Google's outbound MX will *never* be
candidates for listing (regardless of how much they spew) and therefore
a very large TTL'd NXDOMAIN would be appropriate. Frankly, any
legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN
for this type of list, not just big players like Google.
If a DNSBL operator knows that certain IPs are not candidates for
listing (or at least not candidates for automated listing), why not let
DNS caches keep that information for as long as possible?
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.
More information about the bind-users
mailing list