Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: Ace Fekay [MCT] on 28 Dec 2009 11:56 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:ePF8OV9hKHA.5568(a)TK2MSFTNGP02.phx.gbl... >> I didn't know OpenDNS works like that. > > whooops overlooked that > > it's not opendns... the rate limiter is on DNSBL servers > and those see queries coming from ODNS ... and since > there's a bunch of people using ODNS the query rate > quickly goes over the rate limiter > > then, btw, ODNS has its own ratelimiter as well, so one > may eventually hit that one and fail each and every dns > query ... w/o any notice :P ... and btw by the time the admin > will realize that there's a DNS failure a bunch of emails will > be lost > > I never used ODNS, so this is new to me. Understanding DNS and its processes, this kind of tells me why would anyone use it? Same with the DNSBL service. Thanks to Susan, I'm glad you jumped in on this thread. It helped understand what is going on. :-) A belated Merry Christmas to you and yours, and a Happy New Year! Ace
From: Kerry Brown on 28 Dec 2009 12:15 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:#xB2gk6hKHA.5608(a)TK2MSFTNGP05.phx.gbl... > >> I'm not against using OpenDNS, just pointing out some potential side >> effects. OpenDNS is an opt in product. What's really bad is when your >> ISP does DNS injection without telling you. > > Not just that; opendns is fast since they extensively use their cache > and to speed up this, they override the TTL values, now, imagine one > of your customers mailserver ending up into a DNSBL just due to some > worm spitting out spam; after a couple hours the folks at your customer > site manage to fix things and to remove the entry from the DNSBL but, > since you are using OpenDNS, the entry will still be cached and you'll > be rejecting the emails > > Cool huh ? > > Interesting. Another reason why DNS injection is not a good thing. DNS is the underlying glue (pun intended) that holds the Internet together. Messing with it is never a good thing. FWIW the first thing I do when taking on a new client is to make sure their DNS is not using any forwarders. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/
From: ObiWan [MVP] on 28 Dec 2009 12:44 > I never used ODNS, so this is new to me. Understanding DNS and its > processes, this kind of tells me why would anyone use it? Same with > the DNSBL service. It's easy, Ace, lemme put it plain; let's use spamhaus as the DNSBL You run a mailserver and your own DNS (no forwarders) your mailserver uses "zen.spamhaus.org" as one of the DNSBLs upon incoming connections, your mailserver (the IMF in this case) runs a query against the auth DNS for "zen.spamhaus.org" to check if the connecting IP is blacklisted the auth DNS servers for the spamhaus zone see your IP and keep a track of the queries you issue, so, if your query/time ratio goes over a given limit, they suddenly start answering an NXDOMAIN to further queries the above never happens to you since your email volume is under the limit (which is quite high) so you will never see such a behaviour, otherwise, in case you'll be facing such an issue, this would mean that you'll need to purchase an account with spamhaus... anyways... let's look at the above scenario but let's say you use the opendns servers as your forwarders; your DNS along with some thousands other systems is using the ODNS resolvers, so the spamhaus auth DNS will see the queries coming from the ODNS IPs and not from your own one, this means that the rate limiter will quickly kick in for the ODNS IPs and this in turn will render the DNSBL queries useless > Thanks to Susan, I'm glad you jumped in on this thread. It helped > understand what is going on. :-) Hehe... she posted a note elsewhere and at first I didn't realize it was related to an NG thread but when I realized that and saw your name I immediately jumped in :D > A belated Merry Christmas to you and yours, and a Happy New Year! ditto :D !!!!
From: ObiWan [MVP] on 28 Dec 2009 12:47 > Interesting. Another reason why DNS injection is not a good thing. > DNS is the underlying glue (pun intended) that holds the Internet > together. Messing with it is never a good thing. FWIW the first thing > I do when taking on a new client is to make sure their DNS is not > using any forwarders. As I wrote, the use of forwarders makes sense in SOME cases, but in general, if you have a DNS server it's better setting it up as a full resolver w/o using ANY forwarders at all; more, if we're talking about a LAN, the firewall should be configured to BLOCK *all* DNS queries coming from the internal network and going toward external DNS servers, such queries should ONLY be allowed to the DNS server(s) sitting on the LAN; this means blocking any outbound traffic toward port 53/udp and 53/tcp and allowing it only from the DNS server(s)
From: Leythos on 28 Dec 2009 13:35
In article <u$oumX#hKHA.5020(a)TK2MSFTNGP02.phx.gbl>, obiwan(a)mvps.org says... > > > Interesting. Another reason why DNS injection is not a good thing. > > DNS is the underlying glue (pun intended) that holds the Internet > > together. Messing with it is never a good thing. FWIW the first thing > > I do when taking on a new client is to make sure their DNS is not > > using any forwarders. > > As I wrote, the use of forwarders makes sense in SOME cases, but > in general, if you have a DNS server it's better setting it up as a full > resolver w/o using ANY forwarders at all; more, if we're talking about > a LAN, the firewall should be configured to BLOCK *all* DNS queries > coming from the internal network and going toward external DNS > servers, such queries should ONLY be allowed to the DNS server(s) > sitting on the LAN; this means blocking any outbound traffic toward > port 53/udp and 53/tcp and allowing it only from the DNS server(s) We block all DNS queries from all nodes except the DNS server - that would be the SBS box itself. Interesting question - SBS and a separate Terminal Server using Open DNS for web site filtering. Since the forwarders have to use ODNS's DNS servers, how would you have SBS not be seen as originating from ODNS when doing RBL checks while still using ODNS for web blocking? -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address) |