Re: TTL and DNSBLs [how to improve DNSBL/DNSWL "cache-ability"]

Thu, 07 Jul 2011 14:20:23 -0700 

"David F. Skoll" <d...@roaringpenguin.com> wrote:
> On Thu, 07 Jul 2011 15:31:47 +0200
> Andrzej Adam Filip <andrzej.fi...@gmail.com> wrote:
>
>> > The point is that by definition, you can't have a per-IP
>> > negative-cache TTL.
>
>> But it is possible to use a wildcard DNS record for "not listed", 
>> is not it? :-)
>
> That would not work well at all... think about the ramifications. :)
> Either the cached wildcard record would prevent you from querying IPs
> you've never seen before (in which case the DNSBL would be useless) or
> it would forward the specific query anyway (in which case it does nothing
> to solve the problem.)

In the email you replied I have merely suggested using wildcards for */24
and */16 nets with "not listed" record to allow setting different TTL.
[ As I understand it will do little beyond allowing custom TTL]

> Anyway, IMO, DNS should not be used for blacklist lookups over the
> Internet.  DNS was never designed for that; it just happens to
> sort-of-work.  DNSRBLs are frequently-changing and are supposed to
> provide up-to-the-minute information.  DNS is a good protocol for
> querying a local authoritative name server, but it's not good for
> distributing large volumes of quickly-changing, required-to-be-fresh
> data across the Internet.

*But*
a1) DNS servers (forwarders) can be modified e.g. to treat cached record
    for 3.2.1.dnsbl.example.net as matching query for 4.3.2.1.dnsbl.example.net
    [ on per domain basis or per *new* DNS record ]
a2) DNS servers (authoritative) may be modified to *append* such "more general"
    reply when possible
b) I bet [not too much :-) ] that some tricks with delegations 
   (NS records) in 4.3.2.1.in-addr.arpa style structure would allow
   to achieve better "negative caching" for */24 and */16 nets.

> (What's saving us is computing power and bandwidth.  Modern name servers
> can handle a huge number of queries without too much trouble, so people
> never even noticed that caching wasn't buying them anything.)

To put in a way we may both accept:
Improving DNSBL/DNWL "cache-abbility" is not an urgent need :-)

-- 
[pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu
Eeny, Meeny, Jelly Beanie, the spirits are about to speak!
  -- Bullwinkle Moose

Reply via email to