Criminals, The Network, and You [Was: Something Else]
jgreco at ns.sol.net
Wed Sep 12 16:26:02 UTC 2007
> My mail servers return 5xx on NXDOMAIN. If my little shop can spend not
> too much money for three-9s reliability in the DNS servers, other shops
> can as well. When I first deployed the system, the overwhelming
> majority of the rejects were from otherwise known spam locations
> (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs).
> The number of false positives were so small that whitelisting was easy
> and simple to maintain.
> If a shop is not multihomed, they can contract with one or more DNS
> hosts to provide high-availability DNS, particularly for their
> in-addr.arpa zones.
> It's not hard. Nor expensive.
Well, if by "3 9's" you mean "99.9%", and that's acceptable to you, then
Otherwise, your self-measured uptime of your DNS servers is not that
relevant, as the real question is what is the availability of your DNS
servers as measured from whoever might be doing a lookup on your domain
(or, more specifically, from whatever random mail server happens to be
doing a domain lookup of your domain).
I would be skeptical that it is easy for any organization to build a
nameserver system that can actually reach 99.999% availability from
random points on the Internet. Contracting to an outsourcer is no
guarantee, as we've seen large-scale DDoS attacks against some of
these. Outsourcers are actually riskier, since a DDoS against the
nameservers of any of their customers is essentially a DDoS against your
nameservers. Some combination of outsourced plus diverse self-managed
servers probably lands you there, but it is neither easy nor without
expense to make arrangements like this.
Given the level of clue required to get truly rock solid DNS, it may
be better to 4XX NXDOMAIN. Most spambots don't seem to retry on a 4XX
anyways, so to a spambot, the 4XX *is* a 5XX, but to a real mail client,
the 4XX is a 4XX, and that seems like it would be a more resilient
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG