Use of DNS as Distributed Database

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Sat Oct 5 16:18:28 UTC 2002 

Daniel Feenberg <nodrfspam at nber.org> wrote:

> Some time ago I was told of a well known article on the 
> dangers of using the existing DNS system as a distributed 
> database for non-DNS information. An hour with Google hasn't 
> turned it up. Can anyone refer me to it? Are  there dangers 
> to worry about beyond the obvious limitations of datatypes 
> and caching? Was the article an attack on the use
> of DNS for distributing SPAM blacklist information or did it have
> some other agenda? Am I even right to consider the anti-spam 
> blacklists implementations of a distributed database in DNS?

Cannot answer why it should be dangerous to distribute non-dns data
with bind. But most spam-blocklists is distributed via DNS.

relays.osirusoft.com is one of the "better ones", they use 10 servers :
ns1-relays.osirusoft.com.  23h58m34s IN A  168.103.84.165
ns1-relays.osirusoft.com.  23h58m34s IN A  195.115.72.9
ns1-relays.osirusoft.com.  23h58m34s IN A  195.154.210.134
ns1-relays.osirusoft.com.  23h58m34s IN A  203.16.167.1
ns1-relays.osirusoft.com.  23h58m34s IN A  130.239.18.162
ns2-relays.osirusoft.com.  23h58m34s IN A  195.86.134.127
ns2-relays.osirusoft.com.  23h58m34s IN A  207.171.128.15
ns2-relays.osirusoft.com.  23h58m34s IN A  64.39.15.246
ns2-relays.osirusoft.com.  23h58m34s IN A  66.33.98.17
ns2-relays.osirusoft.com.  23h58m34s IN A  168.103.84.163

The "offending ip's" is stored in <ip-backwards>relays.osirusoft.com. ,
if there is any spam or spamsupport from this ip it will be
"found" in dns with an 'A' record in the 127-range.

An example-spammer : 80.78.142.10
> dig 10.142.78.80.relays.osirusoft.com

; <<>> DiG 8.3 <<>> 10.142.78.80.relays.osirusoft.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
;; QUERY SECTION:
;;      10.142.78.80.relays.osirusoft.com, type = A, class = IN

;; ANSWER SECTION:
10.142.78.80.relays.osirusoft.com.  12H IN A  127.0.0.9


( ip found, thus a known spammer )

The above is typically used by MTA, most already have "coocbook recepies
for enabling them, for sendmail one just does :
FEATURE(dnsbl, `relays.osirusoft.com', `Rejected - see http://relays.osirusoft.com/')dnl

in the .mc file when configuring your MTA.


( Sorry for beeing elaborate in the wrong group )



> Daniel Feenberg
> feenberg isat nber.org


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list