DNS and MX
Kevin Darcy
kcd at daimlerchrysler.com
Thu May 11 22:55:02 UTC 2006
ctclibby wrote:
>Hi All
>
>I have asked a question in a moderated list (
>MIMEDefang at lists.roaringpenguin.com ) and have quite the discussion
>going on. So I now turn to you for wisdom and answers. I have added
>more information below. Here is my question as posted:
>---
>Hi all
>
>Please tell me that I am NOT weird?
>
>Receintly I updated DNS for a few domains. My registrar gives the
>option of assigning an IP addy for domain.tld without having an alias:
>mail.domain.tld Ok, says I, lets give it a go. Bam! Slam, Spam
>started invading my privacy. This leads me to believe either:
> 1. Mail ( spam ) in this case is being sent to domain names without
>doing MX lookups.
> 2. I screwed something up.
>
>So I went in and unassigned that IP from domain.tld and that Spam
>stopped.
>
>Will look into this further to make sure that I have the domain setup
>proper.
>
>todh
>---
>
>Enom is the Registrar and I have multiple domains behind a firewall (
>apache and sendmail ) of which the firewall forwards to an internal
>machine. Everything works as it is supposed to: www gets web,
>smtp,pop3 and imap gets sendmail/dovecot.
>
>I have always assumed that a domain.tld is a container for hosts; i.e.
>mail.domain.tld, www.domain.tld, router.domain.tld. Looks like some of
>the folks believe that having an A record should be done so that
>surfers that don't know don't have to put in the www part to get to
>some.domain.tld. Ya, Ya, thank the marketing bigbrass for that one.
>
>So here is the big question: Should domain.tld have an Address record
>associtated with it? What is kosher?
>
There's nothing wrong with having an address record or more than one, at
the zone apex. It's really a matter of personal preference. The presence
of zone-apex A records will, however, attract some email traffic,
especially if you have no MX records at the apex, or, to a lesser
degree, as you have found, even if you do, from horribly broken mail
software or from spammers who surmise that the mail servers responding
to the apex records represent additional opportunities, beyond those in
the MX records, to get their crap past filters and other kinds of blocks.
One thing to be aware of, however, is that a CNAME record cannot be at
the zone apex. If one's regular conventions call for the use of CNAMEs,
therefore, zone apexes will need to be exceptions to those conventions,
and that can complicate things. I can't even count the number of times
I've had to explain to our internal customers (e.g. marketing folks)
about CNAMEs being forbidden at the zone apex, and no, this is a basic
rule of *DNS*, not something I just cooked up on my own to make their
lives miserable.
- Kevin
More information about the bind-users
mailing list