North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Criminals, The Network, and You [Was: Something Else]
> My mail servers return 5xx on NXDOMAIN. If my little shop can spend not > too much money for three-9s reliability in the DNS servers, other shops > can as well. When I first deployed the system, the overwhelming > majority of the rejects were from otherwise known spam locations > (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). > The number of false positives were so small that whitelisting was easy > and simple to maintain. > > If a shop is not multihomed, they can contract with one or more DNS > hosts to provide high-availability DNS, particularly for their > in-addr.arpa zones. > > It's not hard. Nor expensive. Well, if by "3 9's" you mean "99.9%", and that's acceptable to you, then fine. Otherwise, your self-measured uptime of your DNS servers is not that relevant, as the real question is what is the availability of your DNS servers as measured from whoever might be doing a lookup on your domain (or, more specifically, from whatever random mail server happens to be doing a domain lookup of your domain). I would be skeptical that it is easy for any organization to build a nameserver system that can actually reach 99.999% availability from random points on the Internet. Contracting to an outsourcer is no guarantee, as we've seen large-scale DDoS attacks against some of these. Outsourcers are actually riskier, since a DDoS against the nameservers of any of their customers is essentially a DDoS against your nameservers. Some combination of outsourced plus diverse self-managed servers probably lands you there, but it is neither easy nor without expense to make arrangements like this. Given the level of clue required to get truly rock solid DNS, it may be better to 4XX NXDOMAIN. Most spambots don't seem to retry on a 4XX anyways, so to a spambot, the 4XX *is* a 5XX, but to a real mail client, the 4XX is a 4XX, and that seems like it would be a more resilient choice. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.