Side effects of a DNS whitelist?

Merton Campbell Crockett m.c.crockett at
Sun Oct 29 17:17:32 UTC 2006

Whether to accept or reject a connection to my mail servers is a  
business decision related to my specific business and business  
requirements.  The mail handling rules have been developed and  
refined since establishing a connection to the Internet a quarter of  
a century ago.

Aside from the additional DNS queries needed to use your proposed  
service, what is the business case for me using your service?

What does it provide that can't be achieved using IPFW, hosts, DNS,  
"tcpwrappers", and sendmail's access database?

Merton Campbell Crockett

On 29 Oct 2006, at 06:03 , Matthias Leisi wrote:

> [I'm aware of the fact that the questions below are, strictly  
> speaking,
> not Bind-related but of a more general nature. If you know of a more
> appropriate list/newsgroup, please let me know.]
> I'm currently experimenting with a public DNS-based whitelist. I  
> wonder
> what side effects such a whitelist could have from a DNS  
> infrastructure
> perspective.
> The impact of DNS-based blacklists are pretty well understood after a
> long time of wide-spread use. However, it seems to me that whitelists
> are different in some respects:
> Difference in size: By their very nature, DNS-based whitelists have an
> order of magnitude _less_ entries than blacklists in the Internet  
> as we
> have it today: Probably half of all Windows machines on the  
> Internet are
> hijacked and could be blacklisted (Spamhaus XBL is a couple of  
> megabytes
> in size), but at best a couple of thousand mailservers or networks
> should be whitelisted (a couple of hundred kilobytes max).
> Caching/TTL: It is not to be expected that IP ranges of "known good"
> senders change at a fast pace. TTL can thus be higher (12 to 48hrs,
> possibly) than with DNS-based blacklists which usually have rather  
> short
> TTLs (< 30 mins).
> This leads me to a couple of questions:
> When a mailserver queries the whitelist via DNS for each incoming
> connection, this will lead to a considerable amount of NXDOMAIN
> responses (let's assume that 10% of all connections come from
> whitelisted servers, ie we have 90% of NXDOMAIN responses). Would this
> negatively affect a typical resolving nameserver's cache? How could  
> this
> negative impact be limited?
> Are DNS queries really the most efficient method of distribution
> (zone-transfers are a different question)? Current blacklists work by
> asking for individual addresses, but most whitelisting occurs  
> through a
> range of IP addresses (as much as a /16). Would it be more  
> efficient for
> caching etc to do something similar in style to classless IN-ADDR.ARPA
> delegation (RFC 2317)?
> Any other hints are, of course, welcome. If you are interested in the
> project, have a look at
> Thanks,
> -- Matthias

Merton Campbell Crockett
m.c.crockett at

More information about the bind-users mailing list