Variable SOAs in negative responses
Mark Andrews
marka at isc.org
Tue Jan 28 22:20:18 UTC 2014
In message <52E8258E.3060606 at hireahit.com>, Dave Warren writes:
> On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:
> > On 27.01.14 18:23, John Levine wrote:
> >> A friend (really) asks this question: they have some DNSBLs, which get
> >> a lot of queries. Sometimes the answer has A or TXT records, meaning
> >> the corresponding address is listed in the DNSBL, sometimes it's
> >> NXDOMAIN which means the address isn't.
> >>
> >> For addresses that aren't listed, some of the NXDOMAINs are a lot less
> >> likely to change than others, e.g, the address of an outbound mail
> >> server at a large mail provider is unlikely ever to be listed, but a
> >> random host at a hosting provider in India, who knows. So he'd like
> >> to have the TTLs on some of those NXDOMAINs be longer than others, by
> >> putting a different TTL in the SOA in the authority section.
> >
> > If you know those IPs, why do you check them for being listed at all?
>
> John's question was from the point of view of the DNSBL operator. How
> would a DNSBL operator stop users of that DNSBL from performing lookups
> on certain IPs, and why would they bother?
>
> > If any IP starts spamming, why to give it longer time to appear in the
> > blacklists? I don't think this makes sense at all...
>
> Because a lot of IPs simply are not candidates for listing at certain
> types of DNSBL sites. "Too big to block" is a thing.
>
> A more straightforward example: If your DNSBL is designed to only list
> IPs that are running vulnerable web scripts *and* are not also
> legitimate mail servers, then Google's outbound MX will *never* be
> candidates for listing (regardless of how much they spew) and therefore
> a very large TTL'd NXDOMAIN would be appropriate. Frankly, any
> legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN
> for this type of list, not just big players like Google.
Which if the recursive servers are following RFC 2308 will be truncated to
~3 hours.
> If a DNSBL operator knows that certain IPs are not candidates for
> listing (or at least not candidates for automated listing), why not let
> DNS caches keep that information for as long as possible?
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
> Usenet is like a herd of performing elephants with diarrhea --
> massive, difficult to redirect, awe-inspiring, entertaining, and a
> source of mind-boggling amounts of shit when you least expect it.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list