Use of DNS as Distributed Database
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Sat Oct 5 16:18:28 UTC 2002
Daniel Feenberg <nodrfspam at nber.org> wrote:
> Some time ago I was told of a well known article on the
> dangers of using the existing DNS system as a distributed
> database for non-DNS information. An hour with Google hasn't
> turned it up. Can anyone refer me to it? Are there dangers
> to worry about beyond the obvious limitations of datatypes
> and caching? Was the article an attack on the use
> of DNS for distributing SPAM blacklist information or did it have
> some other agenda? Am I even right to consider the anti-spam
> blacklists implementations of a distributed database in DNS?
Cannot answer why it should be dangerous to distribute non-dns data
with bind. But most spam-blocklists is distributed via DNS.
relays.osirusoft.com is one of the "better ones", they use 10 servers :
ns1-relays.osirusoft.com. 23h58m34s IN A 168.103.84.165
ns1-relays.osirusoft.com. 23h58m34s IN A 195.115.72.9
ns1-relays.osirusoft.com. 23h58m34s IN A 195.154.210.134
ns1-relays.osirusoft.com. 23h58m34s IN A 203.16.167.1
ns1-relays.osirusoft.com. 23h58m34s IN A 130.239.18.162
ns2-relays.osirusoft.com. 23h58m34s IN A 195.86.134.127
ns2-relays.osirusoft.com. 23h58m34s IN A 207.171.128.15
ns2-relays.osirusoft.com. 23h58m34s IN A 64.39.15.246
ns2-relays.osirusoft.com. 23h58m34s IN A 66.33.98.17
ns2-relays.osirusoft.com. 23h58m34s IN A 168.103.84.163
The "offending ip's" is stored in <ip-backwards>relays.osirusoft.com. ,
if there is any spam or spamsupport from this ip it will be
"found" in dns with an 'A' record in the 127-range.
An example-spammer : 80.78.142.10
> dig 10.142.78.80.relays.osirusoft.com
; <<>> DiG 8.3 <<>> 10.142.78.80.relays.osirusoft.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
;; QUERY SECTION:
;; 10.142.78.80.relays.osirusoft.com, type = A, class = IN
;; ANSWER SECTION:
10.142.78.80.relays.osirusoft.com. 12H IN A 127.0.0.9
( ip found, thus a known spammer )
The above is typically used by MTA, most already have "coocbook recepies
for enabling them, for sendmail one just does :
FEATURE(dnsbl, `relays.osirusoft.com', `Rejected - see http://relays.osirusoft.com/')dnl
in the .mc file when configuring your MTA.
( Sorry for beeing elaborate in the wrong group )
> Daniel Feenberg
> feenberg isat nber.org
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list