North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)

  • From: Patrick W.Gilmore
  • Date: Mon Apr 19 12:32:14 2004

On Apr 19, 2004, at 11:54 AM, [email protected] wrote:

"I finally talked to someone who knows what the problem is.  Your sbl
sites
have been blocked by the standard DNS forwarders supplied by ATT. This
is
due to the workload being generated on them from mailservers."
Duh! This is really dumb.
It's not dumb at all.
Yes, it is.

It is not only dumb, it is a disservice to their customers. AT&T is intentionally distributing known bad information. Worse, they hid this fact from their customer. When customers called the AT&T support line to find out what happened, they were told nothing was wrong and it must be on the customer side. My understanding is this was an intentional lie. Lying to your customers is a Bad Thing [tm], IMHO.

Perhaps it was just a bunch of front line people who did not know / understand, but considering that they made a change which they knew - they *KNEW* - would break things, they should have made damned sure each and every front line person was prepared for the customer calls. They did not, so they are at best guilty of pathetically poor customer service, and possibly guilty of outright lying to their customers.

If I paid AT&T for name service (even as part of a larger package of offerings - e.g. transit), I would be *VERY* upset.


DNSBLs are using the DNS to do general purpose database
lookups instead of using a generic database lookup
protocol like LDAP. It's not surprising that this sort
of ugly hack has unintended side effects. After all, people
who build DNS infrastructure intend it to be used to
for generic DNS translations, not generic database lookups.
A DNS query is a database lookup. It is probably the most widely distributed, robust database ever designed an implemented. But it is a database, and the DNSBL queries are well formed DNS queries. The only difference between a DNSBL query and a normal host lookup is the source zone file and rate.

I wonder if Google gets too many DNS hits if AT&T will decide to filter that zone?


Funny thing is that most mailer software that uses
DNSBLs also supports LDAP database lookups so there is
really no good reason why DNSBLs exist in the first
place.
Have the mailers always supported LDAP? Do all firewalls which work as MTAs in many 1000s of corporations allow LDAP queries by default? Perhaps the creators and maintainers of the DNSBLs like to use DNS and do not like LDAP?

There are many, many possible "good reasons" for the DNSBLs to exist.


IMHO, the DNSBL experiment has proved the usefulness
of having a variety of blacklist/whitelist/greylist databases
for mail servers to query. It's high time that folks
shift these databases onto a protocol that does not interfere
with the Internet's critical DNS systems and I believe that
LDAP is that protocol.
That is possible, and much more reasonable than claiming that they have no good reason to exist in the first place.

If you believe this so fervently, perhaps you should put in effort to make it happen, instead of discarding out of hand the effort, time, and money the current maintainers have donated out to make the community better.

--
TTFN,
patrick