DNS question, null MX records
Patrick W. Gilmore
patrick at ianai.net
Tue Dec 15 09:33:25 CST 2009
On Dec 15, 2009, at 10:17 AM, Eric J Esslinger wrote:
> I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while)
> I found a reference to a null MX proposal, constructed so:
> example.com IN MX 0 .
> Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers.
It's valid. But if you think all spammers will respect it, you're in for a surprise. :(
There is also a recommendation to point the MX at somewhere unroutable (192.2.x.x IIRC, but don't quote me on that). This will force the spammer / bot to try to connect to something that does not exist and use up sockets & resources, hopefully slowing it down. I've also heard that pointing the MX at localhost is useful, for reasons that should be obvious. The latter has the slight advantage of not making networks with a default route carry packets to the DFZ.
I'm sure some will find errors with all three suggestions. I honestly don't know which is the best / worst. Personally I'd set up a tiny mail server that accepted connections & feed them to /dev/null, or maybe forwarded the whole feed to a spam trap or DCC or the like.
More information about the NANOG