nanog mailing list archives
Re: Criminals, The Network, and You [Was: Something Else]
From: Stephen Satchell <list () satchell net>
Date: Wed, 12 Sep 2007 08:54:56 -0700
My mail servers return 5xx on NXDOMAIN. If my little shop can spend not too much money for three-9s reliability in the DNS servers, other shops can as well. When I first deployed the system, the overwhelming majority of the rejects were from otherwise known spam locations (looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs). The number of false positives were so small that whitelisting was easy and simple to maintain.
If a shop is not multihomed, they can contract with one or more DNS hosts to provide high-availability DNS, particularly for their in-addr.arpa zones.
It's not hard. Nor expensive. Paul Ferguson wrote:
Re-sending due to Merit's minor outage. - ferg ---------- Forwarded Message ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Robert Blayzor <rblayzor () inoc net> wrote:The fact that they're rejecting on a 5xx error based on no DNS PTR is a=bit harsh. While I'm all for requiring all hosts to have valid PTR records, there are times when transient or problem servers can cause a DNS lookup failure or miss, etc. If anything they should be returning a= 4xx to have the remote host"try again later". Oh, wait till you realize that some of the HTTP returns are bogus altogether -- and actually still serve malware. It's pretty rampant right now. :-/ - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGxR1lq1pz9mNUZTMRApQRAKCEOLpuu69A1+B4vCHQTZs+hHLKaACcD1Ak 9JNwl2i1mL08WNUQSlXBYGM=3D =3DffuN -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Current thread:
- Re: Criminals, The Network, and You [Was: Something Else] Stephen Satchell (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Andrew Sullivan (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Steven Champeon (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Rich Kulawiec (Sep 18)
- Re: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 18)
- RE: Criminals, The Network, and You [Was: Something Else] michael.dillon (Sep 19)
- Re: Criminals, The Network, and You [Was: Something Else] Rich Kulawiec (Sep 19)
- Re: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 20)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)