Side effects of a DNS whitelist?

Matthias Leisi matthias at leisi.net
Sun Oct 29 14:03:19 UTC 2006 

[I'm aware of the fact that the questions below are, strictly speaking,
not Bind-related but of a more general nature. If you know of a more
appropriate list/newsgroup, please let me know.]

I'm currently experimenting with a public DNS-based whitelist. I wonder
what side effects such a whitelist could have from a DNS infrastructure
perspective.

The impact of DNS-based blacklists are pretty well understood after a
long time of wide-spread use. However, it seems to me that whitelists
are different in some respects:

Difference in size: By their very nature, DNS-based whitelists have an
order of magnitude _less_ entries than blacklists in the Internet as we
have it today: Probably half of all Windows machines on the Internet are
hijacked and could be blacklisted (Spamhaus XBL is a couple of megabytes
in size), but at best a couple of thousand mailservers or networks
should be whitelisted (a couple of hundred kilobytes max).

Caching/TTL: It is not to be expected that IP ranges of "known good"
senders change at a fast pace. TTL can thus be higher (12 to 48hrs,
possibly) than with DNS-based blacklists which usually have rather short
TTLs (< 30 mins).

This leads me to a couple of questions:

When a mailserver queries the whitelist via DNS for each incoming
connection, this will lead to a considerable amount of NXDOMAIN
responses (let's assume that 10% of all connections come from
whitelisted servers, ie we have 90% of NXDOMAIN responses). Would this
negatively affect a typical resolving nameserver's cache? How could this
negative impact be limited?

Are DNS queries really the most efficient method of distribution
(zone-transfers are a different question)? Current blacklists work by
asking for individual addresses, but most whitelisting occurs through a
range of IP addresses (as much as a /16). Would it be more efficient for
caching etc to do something similar in style to classless IN-ADDR.ARPA
delegation (RFC 2317)?

Any other hints are, of course, welcome. If you are interested in the
project, have a look at http://www.dnswl.org/

Thanks,
-- Matthias

More information about the bind-users mailing list