qname minimisation per domain

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Jul 16 11:42:22 UTC 2024 

>> On 15 Jul 2024, at 23:27, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>> I have noticed that especially DNS blocklist cause errors like:
>>
>> Jul 14 01:41:28 fantomas named[1854]: success resolving 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain'
>>
>> and blocklists like spamhaus are sensitive to too many queries.
>>
>> is it possible to disable query minimisation for particular domains?

On 16.07.24 09:23, Mark Andrews wrote:
> Is it really too much effort for the servers to return NOERROR instead of 
> an incorrect NXDOMAIN for the intermediate names?  That would get rid of 
> the log message.

These seem to run rbldnsd which is optimised for memory usage and speed of 
response, and returning different replies would I guess affect speed.

> It’s changing 1 bit (0 vs 4 for the rcode) in the DNS 
> header.  They don’t even have to lookup if there are names below the 
> query.  The server can just assume that there are records there and return 
> NOERROR for [0..255].zen.spamhaus.org, [0..255].[0..255].zen.spamhaus.org 
> and [0..255].[0..255].[0..255].zen.spamhaus.org. Really we would like to 
> be able to move to strict QNAME minimisation so we don’t need to make all 
> the other queries after the first NXDOMAIN response but broken 
> implementations like this are making that difficult.  It’s not like this 
> is a new requirement.  A NOERROR response goes back the RFC 1034.  

I see there's issue and merge containing exactly this change: 
https://github.com/spamhaus/rbldnsd/issues/17

The discussion also mentions things like
  
   There is also quite a lot of consensus in the SMTP World that qname 
   minimization shouldn't be used on the resolvers used by mail servers

and

   For the IP(v4 and v6) datasets, all of them, we could implement a hackish 
   solution so that when a query for a "partial" ip address is received, 
   rbldnsd doesn't reply NXDOMAIN but NOERROR instead.

> Additionally Spamhaus controls how often resolvers re-query.  10 seconds 
> is a very short negative response TTL.  If they don’t like the query rate 
> they can control it by returning longer negative cache responses.  Named 
> does check in the cache for negative cache entries to determine whether or 
> not to make the intermediate QNAME minimisation queries.

Lower negative TTLs allow for faster listing detection.
I also believe that it is in Spamhaus interest to have more paying clients 
(although this may not be the primary reason for short negative TTLs).


I guess for now, since the qname minimization increases number of queries 
sent and resolving time, I should disable qname-minimization on all named 
instances used by mail server.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.

More information about the bind-users mailing list