Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: ObiWan [MVP] on 28 Dec 2009 05:18 > Additionally, the Open DNS system will even monitor the networks > and provide me with a warning if a PC on one of those networks > appears to be infected with malware (they can tell by the DNS > requests and where those DNS requests are directed). Heh... and they'll "monitor" much more than just that <eg>
From: ObiWan [MVP] on 28 Dec 2009 05:32 > I'm not against using OpenDNS, just pointing out some potential side > effects. OpenDNS is an opt in product. What's really bad is when your > ISP does DNS injection without telling you. Not just that; opendns is fast since they extensively use their cache and to speed up this, they override the TTL values, now, imagine one of your customers mailserver ending up into a DNSBL just due to some worm spitting out spam; after a couple hours the folks at your customer site manage to fix things and to remove the entry from the DNSBL but, since you are using OpenDNS, the entry will still be cached and you'll be rejecting the emails Cool huh ?
From: Ace Fekay [MCT] on 28 Dec 2009 10:03 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:%23EL3Tb6hKHA.5020(a)TK2MSFTNGP02.phx.gbl... > >> Check what DNS resolvers you are using: If you are using a free "open > DNS >> resolver" service such as Google Public DNS or Level3's public DNS >> servers to resolve your DNSBL requests, in most cases you will receive >> a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. >> Please use your own DNS servers when doing DNSBL queries to Spamhaus. > > Right, see, those DNSBLs allow free use if you keep *under* a given > query rate, > otherwise you'll have to "buy" an account with them so that your DNS IPs > will be > able to query the blacklists w/o restrictions (or, optionally you may > setup your > own rbldnsd and keep a local copy of the BL zones); now... using > whatever > public resolver means that such resolvers may issue a whole lot of > queries > toward the DNSBLs so the total traffic from those open resolvers IPs as > seen > from the DNSBL servers point of view will be above the rate limit and > this in > turn will trigger the rate limiting mechanism resulting in NXDOMAIN > answer > to any query coming from those resolvers IP addresses > > The bottom line is that, as long as you have your own DNS server you > should > NOT rely on 3rd party (external) resolvers using them as forwarders but > instead > set up your DNS to carry on the full resolution process; and this is > *especially* > true when it comes to DNS resolvers serving mailservers > > The rule of thumb with forwarders is that you should use them only under > one > of the following conditions > > * You have a slow internet connection (i.e. dialup, ISDN) > > * The external DNS which you use as forwarders are under your direct > control > > * You have some special needs which force you to only use forwarders > > as a bottom note; if you still want to use forwarders for your DNS, even > if > you don't need them, you'd better setup some conditional forwarding > rules > on your DNS so that queries directed to the DNSBL you are using will be > directly sent to the DNS servers which are authoritative for such zones > > > I didn't know OpenDNS works like that. Friends use it, however apparently they do not exceed the limits. I've never used it, nor do I have any plans to. And nice hearing from you, Obi! I hope things are going well. Ace
From: ObiWan [MVP] on 28 Dec 2009 10:45 > I didn't know OpenDNS works like that. Friends use it, however > apparently they do not exceed the limits. I've never used it, nor > do I have any plans to. Heh... Ace, you know enough about DNS to understand that whoever "fully sees" your queries has a *great* power; and btw, getting back to ODNS there's also to say that I saw an answer to a folk regarding the use of ODNS for mailservers and the mail stated that "in whatever instant opendns may consider queries as an abuse and blackhole the querying IP or in any case they may decide to disrupt the service" and this isn't exactly a good thing if you're trying to run a reliable email service > And nice hearing from you, Obi! I hope things are going well. Heh... thanks to Susan for calling me here, I'm no SBS-er but when I saw her email and your name I couldn't just stay silent :) hope things are going well on your side too ... and btw a really merry Christmas (ok... a late one) and very HAPPY new year and may the coming year bring some peace and happiness to this poor world !
From: ObiWan [MVP] on 28 Dec 2009 10:49
> I didn't know OpenDNS works like that. whooops overlooked that it's not opendns... the rate limiter is on DNSBL servers and those see queries coming from ODNS ... and since there's a bunch of people using ODNS the query rate quickly goes over the rate limiter then, btw, ODNS has its own ratelimiter as well, so one may eventually hit that one and fail each and every dns query ... w/o any notice :P ... and btw by the time the admin will realize that there's a DNS failure a bunch of emails will be lost |