Use of DNS as Distributed Database

phn at phn at
Sat Oct 5 16:18:28 UTC 2002

Daniel Feenberg <nodrfspam at> wrote:

> Some time ago I was told of a well known article on the 
> dangers of using the existing DNS system as a distributed 
> database for non-DNS information. An hour with Google hasn't 
> turned it up. Can anyone refer me to it? Are  there dangers 
> to worry about beyond the obvious limitations of datatypes 
> and caching? Was the article an attack on the use
> of DNS for distributing SPAM blacklist information or did it have
> some other agenda? Am I even right to consider the anti-spam 
> blacklists implementations of a distributed database in DNS?

Cannot answer why it should be dangerous to distribute non-dns data
with bind. But most spam-blocklists is distributed via DNS. is one of the "better ones", they use 10 servers :  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A  23h58m34s IN A

The "offending ip's" is stored in <ip-backwards> ,
if there is any spam or spamsupport from this ip it will be
"found" in dns with an 'A' record in the 127-range.

An example-spammer :
> dig

; <<>> DiG 8.3 <<>>
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
;;, type = A, class = IN


( ip found, thus a known spammer )

The above is typically used by MTA, most already have "coocbook recepies
for enabling them, for sendmail one just does :
FEATURE(dnsbl, `', `Rejected - see')dnl

in the .mc file when configuring your MTA.

( Sorry for beeing elaborate in the wrong group )

> Daniel Feenberg
> feenberg isat

Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list