In message <52e8258e.3060...@hireahit.com>, Dave Warren writes: > On 2014-01-28 11:28, Matus UHLAR - fantomas wrote: > > On 27.01.14 18:23, John Levine wrote: > >> A friend (really) asks this question: they have some DNSBLs, which get > >> a lot of queries. Sometimes the answer has A or TXT records, meaning > >> the corresponding address is listed in the DNSBL, sometimes it's > >> NXDOMAIN which means the address isn't. > >> > >> For addresses that aren't listed, some of the NXDOMAINs are a lot less > >> likely to change than others, e.g, the address of an outbound mail > >> server at a large mail provider is unlikely ever to be listed, but a > >> random host at a hosting provider in India, who knows. So he'd like > >> to have the TTLs on some of those NXDOMAINs be longer than others, by > >> putting a different TTL in the SOA in the authority section. > > > > If you know those IPs, why do you check them for being listed at all? > > John's question was from the point of view of the DNSBL operator. How > would a DNSBL operator stop users of that DNSBL from performing lookups > on certain IPs, and why would they bother? > > > If any IP starts spamming, why to give it longer time to appear in the > > blacklists? I don't think this makes sense at all... > > Because a lot of IPs simply are not candidates for listing at certain > types of DNSBL sites. "Too big to block" is a thing. > > A more straightforward example: If your DNSBL is designed to only list > IPs that are running vulnerable web scripts *and* are not also > legitimate mail servers, then Google's outbound MX will *never* be > candidates for listing (regardless of how much they spew) and therefore > a very large TTL'd NXDOMAIN would be appropriate. Frankly, any > legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN > for this type of list, not just big players like Google.
Which if the recursive servers are following RFC 2308 will be truncated to ~3 hours. > If a DNSBL operator knows that certain IPs are not candidates for > listing (or at least not candidates for automated listing), why not let > DNS caches keep that information for as long as possible? > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > Usenet is like a herd of performing elephants with diarrhea -- > massive, difficult to redirect, awe-inspiring, entertaining, and a > source of mind-boggling amounts of shit when you least expect it. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
