Variable SOAs in negative responses

Dave Warren davew at hireahit.com
Tue Jan 28 22:59:45 UTC 2014 

On 2014-01-28 14:20, Mark Andrews wrote:
> In message <52E8258E.3060606 at hireahit.com>, Dave Warren writes:
>> On 2014-01-28 11:28, Matus UHLAR - fantomas wrote:
>>> On 27.01.14 18:23, John Levine wrote:
>>>> A friend (really) asks this question: they have some DNSBLs, which get
>>>> a lot of queries.  Sometimes the answer has A or TXT records, meaning
>>>> the corresponding address is listed in the DNSBL, sometimes it's
>>>> NXDOMAIN which means the address isn't.
>>>>
>>>> For addresses that aren't listed, some of the NXDOMAINs are a lot less
>>>> likely to change than others, e.g, the address of an outbound mail
>>>> server at a large mail provider is unlikely ever to be listed, but a
>>>> random host at a hosting provider in India, who knows.  So he'd like
>>>> to have the TTLs on some of those NXDOMAINs be longer than others, by
>>>> putting a different TTL in the SOA in the authority section.
>>> If you know those IPs, why do you check them for being listed at all?
>> John's question was from the point of view of the DNSBL operator. How
>> would a DNSBL operator stop users of that DNSBL from performing lookups
>> on certain IPs, and why would they bother?
>>
>>> If any IP starts spamming, why to give it longer time to appear in the
>>> blacklists? I don't think this makes sense at all...
>> Because a lot of IPs simply are not candidates for listing at certain
>> types of DNSBL sites. "Too big to block" is a thing.
>>
>> A more straightforward example: If your DNSBL is designed to only list
>> IPs that are running vulnerable web scripts *and* are not also
>> legitimate mail servers, then Google's outbound MX will *never* be
>> candidates for listing (regardless of how much they spew) and therefore
>> a very large TTL'd NXDOMAIN would be appropriate. Frankly, any
>> legitimate mail server would be a candidate for a large-TTL'd-NXDOMAIN
>> for this type of list, not just big players like Google.
> Which if the recursive servers are following RFC 2308 will be truncated to
> ~3 hours.

Which is quite reasonable, given that many DNSBLs (especially those that 
aim to list zombies and other malware infections) update multiple per 
minute (or are simply maintained dynamically, without a defined 
"refresh"), and therefore want to use NXDOMAIN TTLs that are quite 
short, perhaps in the range of minutes, so that freshly discovered 
zombies are listed absolutely as soon as possible.

These are exactly the type of DNSBLs that will benefit from low NXDOMAIN 
TTLs on most IPs and higher TTLs on definitely-won't-be-listed IPs like 
major mail servers.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.

More information about the bind-users mailing list