Ignoring unqualified MX's ?

torben fjerdingstad unitfj-bind at tfj.rnd.uni-c.dk
Wed Mar 22 13:18:42 UTC 2000


On Wed, Mar 22, 2000 at 01:43:27PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 22, 2000 at 10:08:45AM +0100, torben fjerdingstad wrote:
> 
> > Both places we use bind. I would like a bind solution, which
> > simply discards the bogus MX information.
> > 
> > If it is not possible to make bind junk unqualified MX'es,
> > I would be happy with a patch (or an explation of why bind
> > must announce unqualified MX'es).
> > 
> > I think I have pointed out a security problem in bind.
> > Am I wrong?
> 
> Normally you wouldn't accept or relay mail for a domain you are MX for --
> just because it's in the DNS -- unless you specify
> FEATURE(relay_based_on_MX) (for sendmail). 

Dunno. Personally I stick to qmail which must have that domain
the the rcpthosts file to accept the mail. I don't know what
options our customer has with his PMDF (I forget the exact
name) mailer.

> Nevertheless this can lead to a DOS, since bounces are sent locally, and
> since these cannot be delivered, you end up with double-bounces piling up in
> the mailbox.

Yes!
At least, it is nice to the network, because bounces don't get far :-(

> The solution would be to disallow "localhost" for MX records.

Not enough. How about unqualified hostnames like mail, www,
mailhost mailserver (anyserver) and so on.

funnydomain.net.
@	SOA ......
		IN	MX	10 localhost.
		IN	MX	20 mail.
		IN	MX	30 www.
		IN	MX	40 mailhost.


I think the best solution is to ignore unqualified-host MX'es.
That will also make some smtp's reject the spam early,
when the sender domain does not resolve.

-- 
Med venlig hilsen / Regards 
Netdriftgruppen / Network Management Group
UNI-C          

Tlf./Phone   +45 35 87 89 41        Mail:  UNI-C                                
Fax.         +45 35 87 89 90               Bygning 304
E-mail: torben.fjerdingstad at uni-c.dk       DK-2800 Lyngby




More information about the bind-users mailing list