Minimum TTL?

John Levine johnl at iecc.com
Sat Feb 10 04:11:24 UTC 2018


In article <mailman.459.1518222411.749.bind-users at lists.isc.org> you write:
>For the record, the issue is not RBLs or legitimate domains, it is =
>spammer scum that set super-low DNS because they are shotgunning spam =
>from a a vast botnet and they want to have maximal impact, so you get a =
>different IP for every spam they send. It is a way of trying to =
>overwhelm a machines tarpits, blacklists, sshguard protections, and =
>others.

Um, you have it completely backward.  Botnets are computers with IP
addresses.  They don't need DNS pointing at them to send spam.  DNSBLs
with low TTLs try and list them the moment the first spam hits the
spamtraps.

There is fast flux DNS for computers running landing pages, but they
tend to use a lot of A records at once and don't care about the TTL
since they're going for quantity, not quality.

>But to answer your question, off-hand, I'd say that any TTL under 60s is =
>suspicious and any TTL under 10s is almost certainly intentionally =
>abusive.

I hope you're not planning to do much spam filtering.

R's,
John


More information about the bind-users mailing list