RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Noel Butler
noel.butler at ausics.net
Fri Sep 20 10:02:26 UTC 2013
Hi Shane,
On Fri, 2013-09-20 at 11:38 +0200, Shane Kerr wrote:
> Noel,
>
> On 2013-09-20 12:48:31 (Friday)
> Noel Butler <noel.butler at ausics.net> wrote:
>
> > On Fri, 2013-09-20 at 01:59 +0000, Vernon Schryver wrote:
>
> > > > plenty of delayed mail - hostname lookup failures (mostly because of
> > > > URI/DNS BL's), so it certainly works as intended :)
> > >
> > > That sounds unrelated to RRL. Again, RRL affects standards compliant
> > > DNS clients no more than a 50% packet loss rate on the path from the
> > > DNS client and to the server. If your mail system suffered hostname
> > > lookup failures, then I think something else was broken.
>
> With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> fail, right? If you've got enough legitimate lookups going on to
> trigger RRL then you're going to get lots of failures.
>
> One workaround for this is to set SLIP to 1. I know Vernon recommends
> against that, but personally I don't think there is any downside.
>
Might give that a go, thanks for suggestion
> > Nope, either way, daemon.log was filling up with messages indicating
> > RRL, last time I tried, Aug 29,
> >
> > lots of
> > limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org ,
> > limit NXDOMAIN responses to xxxxxx/24 for xxx.net
> >
> > pretty much one for every DNSBL, URIBL etc used....
>
> This doesn't indicate that anything actually failing for the querying
> hosts, just that they are issuing a lot of queries.
>
maybe not directly, but along with time corresponding maillog filling up
with errors certainly is all the proof I need.
> > The problem occurred within a minute of enabling RRL, and ended right
> > after disabling RRL.
> > on that date, log files show the version was actually BIND 9.9.4rc1
> >
> > Now I've read your link, I can perhaps understand more the options and
> > fine tune it, but bout to head out for lunch so, might pla around later
> > this afternoon.
>
> I think the actual issue is that for DNS IP blacklists (or whitelists)
> RRL is probably harmful. Many or even most queries to those servers
> will result in the same NXDOMAIN response. This is expected and desired
> behavior, but RRL interprets this as potential abuse.
>
> While the fallback to TCP (combined with my recommendation of SLIP 1
> above) will mean that service will continue without problem, one reason
> that DNS was chosen for such services is that it is very lightweight,
> and forcing traffic to TCP is an anti-goal. :)
>
> Probably you should disable RRL for servers that are primarily used for
> IP-based blacklists (or whitelists).
>
Will try with views and SLIP 1, likely tomorrow now since its rather
late here, will post a followup with results
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130920/0f65d3bc/attachment.bin>
More information about the bind-users
mailing list