RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
Vernon Schryver
vjs at rhyolite.com
Fri Sep 20 14:12:35 UTC 2013
> From: Shane Kerr <shane at isc.org>
> With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> fail, right? If you've got enough legitimate lookups going on to
> trigger RRL then you're going to get lots of failures.
If 6% is "lots", then yes.
> One workaround for this is to set SLIP to 1. I know Vernon recommends
> against that, but personally I don't think there is any downside.
Before using SLIP=1, please read
http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/
If you need RRL, then RRL with SLIP=1 is a bad idea.
With SLIP=1, your mail system will be slowed by asking with UDP, getting
a TC=1 response, and using TCP. With SLIP=1 instead of excempt{} or views,
your DNS server will also waste lots of computron counting responses
to your own computers and answering with TC=1
You need to use views and/or ACLs to allow recursion for your own
computers but deny it to strangers. So using 'excempt{}' or views to
excempt your own computers from RRL should be painless.
> > limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org ,=20
> This doesn't indicate that anything actually failing for the querying
> hosts, just that they are issuing a lot of queries.
indeed.
> I think the actual issue is that for DNS IP blacklists (or whitelists)
> RRL is probably harmful. Many or even most queries to those servers
> will result in the same NXDOMAIN response. This is expected and desired
> behavior, but RRL interprets this as potential abuse.
>
> While the fallback to TCP (combined with my recommendation of SLIP 1
> above) will mean that service will continue without problem, one reason
> that DNS was chosen for such services is that it is very lightweight,
> and forcing traffic to TCP is an anti-goal. :)
>
> Probably you should disable RRL for servers that are primarily used for
> IP-based blacklists (or whitelists).
That is reasonable if you ensure that those DNS servers are not available
to the bad guys by putting them behind firewalls, using views or ACLs,
or whatever. And again, those defenses against unauthorized recursion
can be used to apply RRL only to the outsiders.
The potential RRL problem is when you provide high volume DNSBL service
over the open Internet to DNS clients that are not authenticated.
However, that is unlikely to be a worry, because providing DNSBL
services over the open Internet is dubious idea for unrelated reasons.
Major DNSBL providers have years since limited anonymous clients for
business or other reasons. For example, I think Spamhaus limits
anonymous clients to fewer than 3 queries/second.
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list