Variable SOAs in negative responses

Mark Andrews marka at isc.org
Tue Jan 28 22:20:18 UTC 2014 

In message <52E8258E.3060606 at hireahit.com>, Dave Warren writes:
> On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:
> > On 27.01.14 18:23, John Levine wrote:
> >> A friend (really) asks this question: they have some DNSBLs, which get
> >> a lot of queries.  Sometimes the answer has A or TXT records, meaning
> >> the corresponding address is listed in the DNSBL, sometimes it's
> >> NXDOMAIN which means the address isn't.
> >>
> >> For addresses that aren't listed, some of the NXDOMAINs are a lot less
> >> likely to change than others, e.g, the address of an outbound mail
> >> server at a large mail provider is unlikely ever to be listed, but a
> >> random host at a hosting provider in India, who knows.  So he'd like
> >> to have the TTLs on some of those NXDOMAINs be longer than others, by
> >> putting a different TTL in the SOA in the authority section.
> >
> > If you know those IPs, why do you check them for being listed at all?
> 
> John's question was from the point of view of the DNSBL operator. How 
> would a DNSBL operator stop users of that DNSBL from performing lookups 
> on certain IPs, and why would they bother?
> 
> > If any IP starts spamming, why to give it longer time to appear in the
> > blacklists? I don't think this makes sense at all...
> 
> Because a lot of IPs simply are not candidates for listing at certain 
> types of DNSBL sites. "Too big to block" is a thing.
> 
> A more straightforward example: If your DNSBL is designed to only list 
> IPs that are running vulnerable web scripts *and* are not also 
> legitimate mail servers, then Google's outbound MX will *never* be 
> candidates for listing (regardless of how much they spew) and therefore 
> a very large TTL'd NXDOMAIN would be appropriate. Frankly, any 
> legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN 
> for this type of list, not just big players like Google.

Which if the recursive servers are following RFC 2308 will be truncated to
~3 hours.
 
> If a DNSBL operator knows that certain IPs are not candidates for 
> listing (or at least not candidates for automated listing), why not let 
> DNS caches keep that information for as long as possible?
> 
> -- 
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
> 
> Usenet is like a herd of performing elephants with diarrhea --
> massive, difficult to redirect, awe-inspiring, entertaining, and a
> source of mind-boggling amounts of shit when you least expect it.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list