IETF Logo Mail Archive

Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment

Dave Warren <lists@hireahit.com> Sat, 28 January 2012 00:51 UTC

Return-Path: <prvs=1374dfe299=lists@hireahit.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D11E21F8592 for <asrg@ietfa.amsl.com>; Fri, 27 Jan 2012 16:51:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.742
X-Spam-Level:
X-Spam-Status: No, score=-1.742 tagged_above=-999 required=5 tests=[AWL=-0.556, BAYES_40=-0.185, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U968FWnJtrUY for <asrg@ietfa.amsl.com>; Fri, 27 Jan 2012 16:51:46 -0800 (PST)
Received: from vinny.hireahit.com (vinny.hireahit.com [72.51.42.137]) by ietfa.amsl.com (Postfix) with ESMTP id 6753C21F8578 for <asrg@irtf.org>; Fri, 27 Jan 2012 16:51:46 -0800 (PST)
Received: from [172.24.0.104] by hireahit.com (vinny.hireahit.com) (SecurityGateway 2.0.7) with SMTP id SG001560246.MSG for <asrg@irtf.org>; Fri, 27 Jan 2012 16:51:35 -0800
Message-ID: <4F234693.8030809@hireahit.com>
Date: Fri, 27 Jan 2012 16:51:31 -0800
From: Dave Warren <lists@hireahit.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120124 Thunderbird/10.0
MIME-Version: 1.0
To: asrg@irtf.org
References: <18B53BA2A483AD45962AAD1397BE13253846E0FE87@UK-EXCHMBX1.green.sophos> <6.2.5.6.2.20120125102806.0ae6afe8@resistor.net> <4F2056AC.9060401@hireahit.com> <6.2.5.6.2.20120125114411.0c099da8@resistor.net> <4F207029.3030501@mail-abuse.org> <6.2.5.6.2.20120125145006.0b057ce8@resistor.net> <4F208F97.10701@pscs.co.uk> <7B134912-5A3A-4BC7-B04A-D80D57068236@blighty.com>
In-Reply-To: <7B134912-5A3A-4BC7-B04A-D80D57068236@blighty.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-SGOP-RefID: fgs=0 (_st=1 _vt=0 _iwf=0)
Subject: Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jan 2012 00:51:47 -0000

(I'm a bit late getting back to this, my apologies)

On 1/25/2012 4:08 PM, Steve Atkins wrote:

> (Queries to DNSBLs and similar trees - e.g. in-addr.arpa - do damage that somewhat, by creating a large number of different queries few of which are reused, hence tending to evict higher value records from the cache. But that's orthogonal to what we're discussing here, really.)

And, one might argue, an artifact of poor cache expiry policies. At 
least in my version of an ideal world, I'd want to keep records in the 
cache based on frequency of use over nearly anything else (within the 
TTL lifetime, of course)

However, in the context of DNSBLs, you may well have the same problem as 
in-addr.arpa in that there are a lot of records that will have limited 
cache re-use. Still, if a DNSBL is overloaded, increasing TTLs and 
encouraging (rather than discouraging or prohibiting) use of public 
caches would probably decrease load on the DNSBL servers.

For example, with a DNSBL negative-caching at, say, 150 seconds, my 
servers check Gmail's outbound IPs for DNSBL listings, on average, every 
180 seconds or so. Were I and 10 of my best friends running similarly 
sized mail servers to start querying 8.8.8.8 instead of using our own 
internal resolvers, a DNSBL might see one hit every 150 seconds instead 
of 1 every 18 seconds (10 every 180 seconds).

Now that being said, as a matter of practice I wouldn't suggest we start 
suggesting mail server operators start using Google's public DNS as 
their primary DNS. However, the reality of it is that the majority of 
people hit by "listing the Internet for over-quota usage" policies were 
using shared (or public) DNS resolvers, most weren't actually hitting 
any sort of limit due to their own traffic.

Obviously if a DNSBL keeps their TTLs (positive and negative) too low 
then aggregating queries does little good, and there does need to be 
some level of responsiveness. However, if a DNSBL recommends a hourly or 
daily rsync for rsync users, that might suggest a starting point for TTLs.

At the end of the day though, it's not about stopping abuse or people 
hammering the DNSBLs, but rather, it's about making it more convenient 
for larger players to pay money for a valuable service. That's not 
really unfair, and the freemium model is always a complicated one with 
potential holes for abuse, but it's disingenuous to declare that 
listing-the-internet is the only way to cut down query volume.

-- 
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

v2.8.7 | Report a Bug | By Email