On 2014-01-28 14:20, Mark Andrews wrote:
In message <52e8258e.3060...@hireahit.com>, Dave Warren writes:
On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:
On 27.01.14 18:23, John Levine wrote:
A friend (really) asks this question: they have some DNSBLs, which get
a lot of queries. Sometimes the answer has A or TXT records, meaning
the corresponding address is listed in the DNSBL, sometimes it's
NXDOMAIN which means the address isn't.
For addresses that aren't listed, some of the NXDOMAINs are a lot less
likely to change than others, e.g, the address of an outbound mail
server at a large mail provider is unlikely ever to be listed, but a
random host at a hosting provider in India, who knows. So he'd like
to have the TTLs on some of those NXDOMAINs be longer than others, by
putting a different TTL in the SOA in the authority section.
If you know those IPs, why do you check them for being listed at all?
John's question was from the point of view of the DNSBL operator. How
would a DNSBL operator stop users of that DNSBL from performing lookups
on certain IPs, and why would they bother?
If any IP starts spamming, why to give it longer time to appear in the
blacklists? I don't think this makes sense at all...
Because a lot of IPs simply are not candidates for listing at certain
types of DNSBL sites. "Too big to block" is a thing.
A more straightforward example: If your DNSBL is designed to only list
IPs that are running vulnerable web scripts *and* are not also
legitimate mail servers, then Google's outbound MX will *never* be
candidates for listing (regardless of how much they spew) and therefore
a very large TTL'd NXDOMAIN would be appropriate. Frankly, any
legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN
for this type of list, not just big players like Google.
Which if the recursive servers are following RFC 2308 will be truncated to
~3 hours.
Which is quite reasonable, given that many DNSBLs (especially those that
aim to list zombies and other malware infections) update multiple per
minute (or are simply maintained dynamically, without a defined
"refresh"), and therefore want to use NXDOMAIN TTLs that are quite
short, perhaps in the range of minutes, so that freshly discovered
zombies are listed absolutely as soon as possible.
These are exactly the type of DNSBLs that will benefit from low NXDOMAIN
TTLs on most IPs and higher TTLs on definitely-won't-be-listed IPs like
major mail servers.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
