DNS question, null MX records

James Hess mysidia at gmail.com
Fri Dec 18 05:26:25 UTC 2009


On Thu, Dec 17, 2009 at 6:54 AM, Tony Finch <dot at dotat.at> wrote:
> On Wed, 16 Dec 2009, Douglas Otis wrote:  > more polite to use a nonexistent name that you control, but that doesn't   allow the source MTA to skip further DNS lookups
If you want to be kind,  point the MX to an  A record that resolves to
127.0.0.1.
Common MX'es should immediately reject, and report a "configuration
error"/MX loop with the domain.

Your intent will also be clear, to just about everyone,  it will be
obvious the MX is intentionally broken.  Other tricks may be more
obscure,  will be less obvious  that you don't want mail, and may look
like a mistake  --  you might even get visitors to your domain
contacting you  to report the broken MX record.

An alternative to resolving MX to an invalid IP might be to cut to the
chase and just  make further  DNS lookups impossible altogether...

@                604800 IN MX                   MX.BOGUSMX
BOGUSNS  604800 IN  A                      0.0.0.0
BOGUSMX 604800  IN  NS                   BOGUSNS

Or  for that matter  delegate the subdomain to  255.255.255.255.
The recursive resolvers  already have to immediately reject DNS
delegation to broadcast addresses and the like.

Though  i'd be afraid of finding that some obscure resolver didn't......

[EG] "Gee thanks... some spammer exploited my open relay,  and your
broadcast NS delegation,  caused  my LAN to get swamped  by my mail
servers'  DNS lookups while it was trying to send the  10 million
spams to you...."

--
-J




More information about the NANOG mailing list