Anyone from AT&T here? (AT&T bogus DNSBL answers)

Mon Apr 19 16:53:45 UTC 2004

I've personally seen them blackhole a customer ip and never contact
them.  The excuse was that, normally, their customers can't get the mail
because it's a mailserver that gets blacklisted.  I'm not sure that it's
an excuse.  I don't even mind that they blackholed a security problem.
It's the lack of contact in association with the action that I consider
bad customer service.

Eric Krichbaum, Chief Engineer
Citynet

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Patrick W.Gilmore
Sent: Monday, April 19, 2004 12:26 PM
To: nanog at merit.edu
Cc: Patrick W.Gilmore
Subject: Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)

On Apr 19, 2004, at 11:54 AM, Michael.Dillon at radianz.com wrote:

>>> "I finally talked to someone who knows what the problem is.  Your 
>>> sbl
> sites
>>> have been blocked by the standard DNS forwarders supplied by ATT. 
>>> This
> is
>>> due to the workload being generated on them from mailservers."
>>
>> Duh! This is really dumb.
>
> It's not dumb at all.

Yes, it is.

It is not only dumb, it is a disservice to their customers.  AT&T is
intentionally distributing known bad information.  Worse, they hid this
fact from their customer.  When customers called the AT&T support line
to find out what happened, they were told nothing was wrong and it must
be on the customer side.  My understanding is this was an intentional
lie.  Lying to your customers is a Bad Thing [tm], IMHO.

Perhaps it was just a bunch of front line people who did not know /
understand, but considering that they made a change which they knew -
they *KNEW* - would break things, they should have made damned sure each
and every front line person was prepared for the customer calls.  
They did not, so they are at best guilty of pathetically poor customer
service, and possibly guilty of outright lying to their customers.

If I paid AT&T for name service (even as part of a larger package of
offerings - e.g. transit), I would be *VERY* upset.

> DNSBLs are using the DNS to do general purpose database
> lookups instead of using a generic database lookup
> protocol like LDAP. It's not surprising that this sort
> of ugly hack has unintended side effects. After all, people
> who build DNS infrastructure intend it to be used to
> for generic DNS translations, not generic database lookups.

A DNS query is a database lookup.  It is probably the most widely 
distributed, robust database ever designed an implemented.  But it is a 
database, and the DNSBL queries are well formed DNS queries.  The only 
difference between a DNSBL query and a normal host lookup is the source 
zone file and rate.

I wonder if Google gets too many DNS hits if AT&T will decide to filter 
that zone?

> Funny thing is that most mailer software that uses
> DNSBLs also supports LDAP database lookups so there is
> really no good reason why DNSBLs exist in the first
> place.

Have the mailers always supported LDAP?  Do all firewalls which work as 
MTAs in many 1000s of corporations allow LDAP queries by default?  
Perhaps the creators and maintainers of the DNSBLs like to use DNS and 
do not like LDAP?

There are many, many possible "good reasons" for the DNSBLs to exist.

> IMHO, the DNSBL experiment has proved the usefulness
> of having a variety of blacklist/whitelist/greylist databases
> for mail servers to query. It's high time that folks
> shift these databases onto a protocol that does not interfere
> with the Internet's critical DNS systems and I believe that
> LDAP is that protocol.

That is possible, and much more reasonable than claiming that they have 
no good reason to exist in the first place.

If you believe this so fervently, perhaps you should put in effort to 
make it happen, instead of discarding out of hand the effort, time, and 
money the current maintainers have donated out to make the community 
better.

-- 
TTFN,
patrick