Criminals, The Network, and You [Was: Something Else]

• Previous message (by thread): Criminals, The Network, and You [Was: Something Else]
• Next message (by thread): Criminals, The Network, and You [Was: Something Else]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> My mail servers return 5xx on NXDOMAIN.  If my little shop can spend not 
> too much money for three-9s reliability in the DNS servers, other shops 
> can as well.  When I first deployed the system, the overwhelming 
> majority of the rejects were from otherwise known spam locations 
> (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). 
>   The number of false positives were so small that whitelisting was easy 
> and simple to maintain.
> 
> If a shop is not multihomed, they can contract with one or more DNS 
> hosts to provide high-availability DNS, particularly for their 
> in-addr.arpa zones.
> 
> It's not hard.  Nor expensive.

Well, if by "3 9's" you mean "99.9%", and that's acceptable to you, then
fine.

Otherwise, your self-measured uptime of your DNS servers is not that
relevant, as the real question is what is the availability of your DNS
servers as measured from whoever might be doing a lookup on your domain
(or, more specifically, from whatever random mail server happens to be
doing a domain lookup of your domain).

I would be skeptical that it is easy for any organization to build a
nameserver system that can actually reach 99.999% availability from 
random points on the Internet.  Contracting to an outsourcer is no
guarantee, as we've seen large-scale DDoS attacks against some of 
these.  Outsourcers are actually riskier, since a DDoS against the
nameservers of any of their customers is essentially a DDoS against your
nameservers.  Some combination of outsourced plus diverse self-managed
servers probably lands you there, but it is neither easy nor without
expense to make arrangements like this.

Given the level of clue required to get truly rock solid DNS, it may
be better to 4XX NXDOMAIN.  Most spambots don't seem to retry on a 4XX
anyways, so to a spambot, the 4XX *is* a 5XX, but to a real mail client,
the 4XX is a 4XX, and that seems like it would be a more resilient 
choice.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

• Previous message (by thread): Criminals, The Network, and You [Was: Something Else]
• Next message (by thread): Criminals, The Network, and You [Was: Something Else]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]