Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: Russ SBITS.Biz [SBS-MVP] on 27 Dec 2009 18:45 Is this a big issue with you and your clients? Russ -- Russell Grover - SBITS.Biz [SBS-MVP] Microsoft Gold Certified Partner Microsoft Certified Small Business Specialist World Wide 24hr SBS Remote Support - http://www.SBITS.Biz 30% OFF Microsoft Online Services - http://www.microsoft-online-services.com/ "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message news:OGr2d20hKHA.6136(a)TK2MSFTNGP04.phx.gbl... > Here's a link that talks about DNS injection and NXDOMAIN. > > http://www.circleid.com/posts/nxdomain_substitution_good_or_evil/ > > Again, OpenDNS does this but it can be turned off and OpenDNS is an opt in > service. It is important to be aware of of the consequences of DNS > injection but in the case of OpenDNS it may be justified. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message > news:eHhFiByhKHA.2780(a)TK2MSFTNGP05.phx.gbl... >> If a user mistypes an email address they'll get a cryptic NDR which >> usually generates a support call. If the mail server gets a NXDOMAIN >> reply when looking up the target mail server the user will get a NDR that >> is much easier for them to figure out. Never seeing an NXDOMAIN response >> can cause some other problems but that's the most common. It can make >> troubleshooting name resolution problems very hard unless you realise >> what's going on and temporarily setup a different forwarder. >> >> I'm not against using OpenDNS, just pointing out some potential side >> effects. OpenDNS is an opt in product. What's really bad is when your ISP >> does DNS injection without telling you. >> >> -- >> Kerry Brown >> MS-MVP - Windows Desktop Experience: Systems Administration >> http://www.vistahelp.ca/phpBB2/ >> >> >> "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message >> news:C837762B-A1FA-4205-97BC-49DD73059B30(a)microsoft.com... >>> If the domain doesn't exist? NXDOMAIN? >>> I really don't care about NDR's >>> >>> I'm more in love with the Blocking of "BAD" Sites >>> For FREE! >>> Clients love this... :) >>> Russ >>> >>> -- >>> >>> Russell Grover - SBITS.Biz [SBS-MVP] >>> Microsoft Gold Certified Partner >>> Microsoft Certified Small Business Specialist >>> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz >>> 30% OFF Microsoft Online Services - >>> http://www.microsoft-online-services.com/ >>> >>> >>> >>> "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message >>> news:O27j4JrhKHA.1456(a)TK2MSFTNGP06.phx.gbl... >>>> Yes, but it can cause some weird Exchange NDRs because it never returns >>>> NXDOMAIN. >>>> >>>> -- >>>> Kerry Brown >>>> MS-MVP - Windows Desktop Experience: Systems Administration >>>> http://www.vistahelp.ca/phpBB2/ >>>> >>>> >>>> "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message >>>> news:4754ABCD-5178-4E32-9D1E-B200707AEF16(a)microsoft.com... >>>>> Another reason why I think OPENDNS.com ROCKS :) >>>>> Free and "WORKS" :) >>>>> Russ >>>>> >>>>> -- >>>>> >>>>> Russell Grover - SBITS.Biz [SBS-MVP] >>>>> Microsoft Gold Certified Partner >>>>> Microsoft Certified Small Business Specialist >>>>> World Wide 24hr SBS Remote Support - http://www.SBITS.Biz >>>>> 30% OFF Microsoft Online Services - >>>>> http://www.microsoft-online-services.com/ >>>>> >>>>> >>>>> >>>>> "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message >>>>> news:u32BfnchKHA.5568(a)TK2MSFTNGP02.phx.gbl... >>>>>> "Chucko" <chucko(a)myrealbox.com> wrote in message >>>>>> news:%239v7seahKHA.5380(a)TK2MSFTNGP06.phx.gbl... >>>>>>> Yes, as it turns out, the folks at Spamhaus are aware of the >>>>>>> problem. >>>>>>> >>>>>>> From their FAQ: >>>>>>> >>>>>>> Your DNSBL blocks nothing at all! >>>>>>> >>>>>>> Check what DNS resolvers you are using: If you are using a free >>>>>>> "open DNS resolver" service such as Google Public DNS or Level3's >>>>>>> public DNS servers to resolve your DNSBL requests, in most cases you >>>>>>> will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public >>>>>>> DNSBL servers. Please use your own DNS servers when doing DNSBL >>>>>>> queries to Spamhaus. >>>>>>> >>>>>> >>>>>> Thank you for posting this info. I hope it helps others when they >>>>>> search for this issue. >>>>>> >>>>>> :-) >>>>>> >>>>>> Acee >>>>>> >>>>>> >>>>>>
From: Kerry Brown on 27 Dec 2009 20:00 "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message news:uaKpf60hKHA.4872(a)TK2MSFTNGP05.phx.gbl... > Is this a big issue with you and your clients? > Big issue for me. I'm on the Canadian Internet Registration Authority board of directors. We manage the DNS for the .ca ccTLD. We answer 400,000 DNS queries per minute and it's some of those answers that are getting modified. It's a question of trust in the system. DNSSEC will solve this anyway so it's annoying but it will go away given time. For my clients it can be an inconvenience. Usually it's just odd NDRs but I have seen a case where an Exchange server was brought to it's knees because of not seeing NXDOMAIN responses. Several workstations were infected and generating a lot of spam email through the Exchange server. Because the server wasn't seeing any NXDOMAIN replies it kept trying non-existing email servers. It was easily fixed but for an hour or so no email was flowing. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/
From: Russ SBITS.Biz [SBS-MVP] on 27 Dec 2009 20:56 Hmm ok I've just never seen this causing any issues. (using OpenDNS.) ? OK Well glad you got a handle on it.. :) later Russ -- Russell Grover - SBITS.Biz [SBS-MVP] Microsoft Gold Certified Partner Microsoft Certified Small Business Specialist World Wide 24hr SBS Remote Support - http://www.SBITS.Biz 30% OFF Microsoft Online Services - http://www.microsoft-online-services.com/ "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message news:epvXYk1hKHA.2160(a)TK2MSFTNGP02.phx.gbl... > > "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message > news:uaKpf60hKHA.4872(a)TK2MSFTNGP05.phx.gbl... > >> Is this a big issue with you and your clients? >> > > Big issue for me. I'm on the Canadian Internet Registration Authority > board of directors. We manage the DNS for the .ca ccTLD. We answer 400,000 > DNS queries per minute and it's some of those answers that are getting > modified. It's a question of trust in the system. DNSSEC will solve this > anyway so it's annoying but it will go away given time. > > For my clients it can be an inconvenience. Usually it's just odd NDRs but > I have seen a case where an Exchange server was brought to it's knees > because of not seeing NXDOMAIN responses. Several workstations were > infected and generating a lot of spam email through the Exchange server. > Because the server wasn't seeing any NXDOMAIN replies it kept trying > non-existing email servers. It was easily fixed but for an hour or so no > email was flowing. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > >
From: Ace Fekay [MCT] on 28 Dec 2009 00:50 "Kerry Brown" <kerry(a)kdbNOSPAMsys-tems.c*a*m> wrote in message news:epvXYk1hKHA.2160(a)TK2MSFTNGP02.phx.gbl... > > "Russ SBITS.Biz [SBS-MVP]" <russ(a)REMOVETHIS.sbits.biz> wrote in message > news:uaKpf60hKHA.4872(a)TK2MSFTNGP05.phx.gbl... > >> Is this a big issue with you and your clients? >> > > Big issue for me. I'm on the Canadian Internet Registration Authority > board of directors. We manage the DNS for the .ca ccTLD. We answer 400,000 > DNS queries per minute and it's some of those answers that are getting > modified. It's a question of trust in the system. DNSSEC will solve this > anyway so it's annoying but it will go away given time. > > For my clients it can be an inconvenience. Usually it's just odd NDRs but > I have seen a case where an Exchange server was brought to it's knees > because of not seeing NXDOMAIN responses. Several workstations were > infected and generating a lot of spam email through the Exchange server. > Because the server wasn't seeing any NXDOMAIN replies it kept trying > non-existing email servers. It was easily fixed but for an hour or so no > email was flowing. > > -- > Kerry Brown > MS-MVP - Windows Desktop Experience: Systems Administration > http://www.vistahelp.ca/phpBB2/ > > > > As I have mentioned, I have several friends using OpenDNS, and they think it works fine, however not ever having used it, I can't comment much more on it. I would rather use my own DNS servers internally, and the registrar's DNS as forwarders. Therefore, depending on how the Exchange server is setup, meaning that if the SMTP service is configured to use an external DNS, and is pointed to OpenDNS, then the lack of NXDOMAIN responses may occur, from what you are saying. But as I said, I don't use OpenDNS and don't really know. I usually just leave Exchange to use the internal AD servers, with forwarders, and it works fine. Ace
From: ObiWan [MVP] on 28 Dec 2009 05:16
> Check what DNS resolvers you are using: If you are using a free "open DNS > resolver" service such as Google Public DNS or Level3's public DNS > servers to resolve your DNSBL requests, in most cases you will receive > a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. > Please use your own DNS servers when doing DNSBL queries to Spamhaus. Right, see, those DNSBLs allow free use if you keep *under* a given query rate, otherwise you'll have to "buy" an account with them so that your DNS IPs will be able to query the blacklists w/o restrictions (or, optionally you may setup your own rbldnsd and keep a local copy of the BL zones); now... using whatever public resolver means that such resolvers may issue a whole lot of queries toward the DNSBLs so the total traffic from those open resolvers IPs as seen from the DNSBL servers point of view will be above the rate limit and this in turn will trigger the rate limiting mechanism resulting in NXDOMAIN answer to any query coming from those resolvers IP addresses The bottom line is that, as long as you have your own DNS server you should NOT rely on 3rd party (external) resolvers using them as forwarders but instead set up your DNS to carry on the full resolution process; and this is *especially* true when it comes to DNS resolvers serving mailservers The rule of thumb with forwarders is that you should use them only under one of the following conditions * You have a slow internet connection (i.e. dialup, ISDN) * The external DNS which you use as forwarders are under your direct control * You have some special needs which force you to only use forwarders as a bottom note; if you still want to use forwarders for your DNS, even if you don't need them, you'd better setup some conditional forwarding rules on your DNS so that queries directed to the DNSBL you are using will be directly sent to the DNS servers which are authoritative for such zones |