North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Criminals, The Network, and You [Was: Something Else]

  • From: Stephen Satchell
  • Date: Wed Sep 12 11:58:34 2007

My mail servers return 5xx on NXDOMAIN. If my little shop can spend not too much money for three-9s reliability in the DNS servers, other shops can as well. When I first deployed the system, the overwhelming majority of the rejects were from otherwise known spam locations (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). The number of false positives were so small that whitelisting was easy and simple to maintain.

If a shop is not multihomed, they can contract with one or more DNS hosts to provide high-availability DNS, particularly for their in-addr.arpa zones.

It's not hard. Nor expensive.

Paul Ferguson wrote:
Re-sending due to Merit's minor outage.

- ferg


---------- Forwarded Message ----------


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Robert Blayzor <[email protected]> wrote:

The fact that they're rejecting on a 5xx error based on no DNS PTR is a= 

bit harsh.  While I'm all for requiring all hosts to have valid PTR
records, there are times when transient or problem servers can cause a
DNS lookup failure or miss, etc.  If anything they should be returning a=

4xx to have the remote host"try again later".

Oh, wait till you realize that some of the HTTP returns are bogus
altogether -- and actually still serve malware.

It's pretty rampant right now. :-/

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFGxR1lq1pz9mNUZTMRApQRAKCEOLpuu69A1+B4vCHQTZs+hHLKaACcD1Ak
9JNwl2i1mL08WNUQSlXBYGM=3D
=3DffuN
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/