Re: Minimum TTL?
On 2018-02-10 (12:15 MST), Barry Margolin wrote: > > Just because you have the right to do something doesn't mean it's a > reasonable thing to do. No one has made an argument that would imply this is not reasonable. > And if you're offering a service, you have responsibilities to your customers > in addition to rights. They likely have expectations of the quality of your > service. Sure, you have the right to disappoint them, but do you really want > to do that intentionally if you have alternatives? I don't think anyone is expecting that respecting a 1-4s TTL is part of a service arrangement. -- Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 02/10/2018 12:15 PM, Barry Margolin wrote: Just because you have the right to do something doesn't mean it's a reasonable thing to do. I never meant to imply that it was the reasonable thing to do. I meant to imply that it is my choice how I run my servers. And if you're offering a service, you have responsibilities to your customers in addition to rights. They likely have expectations of the quality of your service. Sure, you have the right to disappoint them, but do you really want to do that intentionally if you have alternatives? Part of what my customers paid me to do for 15 years was to run the network the way that I thought was best. In other words, they were paying me for my professional opinion. Granted, it behooved me to make sure that my opinion took into account their needs. That being said, I would tell at least one client a year, "I'll do that if you tell me that's what you want. However my better judgment says to do otherwise." That's when conversations would ensue and usually one or the other of us would change our opinion. Usually it was because one or both of us did not have all the information. Sometimes it was me, sometimes it was them. But we did trust each other and respect each others opinion, particularly when it diverged form the beaten path. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
But to answer your question, off-hand, I'd say that any TTL under 60s is = suspicious and any TTL under 10s is almost certainly intentionally = abusive. On 09.02.18 23:11, John Levine wrote: I hope you're not planning to do much spam filtering. On Sat, Feb 10, 2018 at 2:42 PM, Matus UHLAR - fantomas wrote: do you have any evidence where enforcing a 5s minumum leads to serious problems? On 10.02.18 19:41, Warren Kumari wrote: Ok, so I've never used forwarders (actually, that's not strictly true; I've used them twice, but it was to work around weird issues, and I felt dirty), but couldn't increasing the TTL cause stupid configuration issues to become immortal RRs? we are talking about min-ttl around 10 seconds. I've seen a number of instances where people who *do* forward manage to make a loop - this works just fine under normal conditions (at least with BIND's default of "forward first" - resolver A gets a question for an answer not in it's cache, it asks B, B asks A, after a few rounds this hits the forward timeout, and one of them recurses to find the answer. Now the pair (or pathologically, group) has the answer, and this will decay, just like any other TTL. Eventually it expires, you get a brief spike as they both ask each other, and the process repeats. If TTLs were capped to a minimum, A would time it out, and ask B. B will respond with e.g 4 seconds, and A will bump that back up to 5. 4 seconds later, B will time out, and will ask A. A still has 1 second left, to it answers with 1. B helpfully bumps that back to 5, 1 second later, A expires, and forwards to B, ... Now, I'm guessing that I'm missing something obvious here (more than "Well, don't forward and minimum cap TTLs!" and / or "Don't make loops of forwarders, it's silly"), but I'm not sure what... OTOH, I have encountered case where CISCO ALG changed A recods and set TTL to 0, later admin was complaining about huge number of DNS queries causing high load on the router... there are many ways to fsck things up, and many ways wayt so avoid that. forcing min-ttl is way to avoid one, although it can cause what you describe. But I do not create loops and would like a possibility to avoid the latter case. Note that I am able to coifigure BIND to avoid loops, but I can't affect CISCO ALG ... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Ok, so I've never used forwarders (actually, that's not strictly true; I've used them twice, but it was to work around weird issues, and I felt dirty), but couldn't increasing the TTL cause stupid configuration issues to become immortal RRs? I've seen a number of instances where people who *do* forward manage to make a loop - this works just fine under normal conditions (at least with BIND's default of "forward first" - resolver A gets a question for an answer not in it's cache, it asks B, B asks A, after a few rounds this hits the forward timeout, and one of them recurses to find the answer. Now the pair (or pathologically, group) has the answer, and this will decay, just like any other TTL. Eventually it expires, you get a brief spike as they both ask each other, and the process repeats. If TTLs were capped to a minimum, A would time it out, and ask B. B will respond with e.g 4 seconds, and A will bump that back up to 5. 4 seconds later, B will time out, and will ask A. A still has 1 second left, to it answers with 1. B helpfully bumps that back to 5, 1 second later, A expires, and forwards to B, ... Now, I'm guessing that I'm missing something obvious here (more than "Well, don't forward and minimum cap TTLs!" and / or "Don't make loops of forwarders, it's silly"), but I'm not sure what... W On Sat, Feb 10, 2018 at 2:42 PM, Matus UHLAR - fantomas wrote: >>> But to answer your question, off-hand, I'd say that any TTL under 60s is >>> = >>> suspicious and any TTL under 10s is almost certainly intentionally = >>> abusive. > > > On 09.02.18 23:11, John Levine wrote: >> >> I hope you're not planning to do much spam filtering. > > > do you have any evidence where enforcing a 5s minumum leads to serious > problems? > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >One OS to rule them all, One OS to find them, One OS to bring them all > and into darkness bind them ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article you write: >The target, instead of very quickly rejecting the spam because of the = >lack of a domain or the lack of DNS, instead has to deal with thousands = >of different IPs. That's not how spam filters work. They do filtering based on the IP address sending the spam and maybe the rDNS. It makes no difference whatsoever if there is some other random A record pointing at the spamming host. You can't even tell. >> Botnets are computers with IP addresses. They don't need DNS pointing = >at them to send spam. > >They do to send spam to any mail admin with even half a brain who would = >not accept unauthenticated mail from an IP without an actual domain = >attached. The half a brain generally requires forward and reverse DNS to match before using them. If you know a way to do fast flux rDNS on botnets, I know a lot of people who'd like to talk to you. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article , Grant Taylor wrote: > On 02/09/2018 09:37 AM, Barry Margolin wrote: > > As long as you understand the implications of what you're doing? > > I don't think my level of understanding has any impact of my ability to > override what the zone publisher sets the desired TTL (or any value) to be. > > I have the right to run my network the way that I want to, even in my > ignorance or while shooting myself in the foot. Just because you have the right to do something doesn't mean it's a reasonable thing to do. And if you're offering a service, you have responsibilities to your customers in addition to rights. They likely have expectations of the quality of your service. Sure, you have the right to disappoint them, but do you really want to do that intentionally if you have alternatives? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 2018-02-09 (21:11 MST), John Levine wrote: > > In article you write: >> For the record, the issue is not RBLs or legitimate domains, it is = >> spammer scum that set super-low DNS because they are shotgunning spam = >> from a a vast botnet and they want to have maximal impact, so you get a = >> different IP for every spam they send. It is a way of trying to = >> overwhelm a machines tarpits, blacklists, sshguard protections, and = >> others. > > Um, you have it completely backward. No, I don't. AS I explained upthread, the mechanism works something like this. buy garbage domain. Setup DNS with a TTL of 1S and have the IP change to random machines on your botnet. Spew Spam at a single mail server. The target, instead of very quickly rejecting the spam because of the lack of a domain or the lack of DNS, instead has to deal with thousands of different IPs. Everyone of those is going to hit scammer scums DNS servers. At some point those thousands (tens of thousands? hundreds of thousands?) requests are going to have a serious impact on your mail server. Meanwhile, you are giving spammer scum a lot of information about how much traffic your server can deal with since they can easily see when your responses start to slow down. > Botnets are computers with IP addresses. They don't need DNS pointing at > them to send spam. They do to send spam to any mail admin with even half a brain who would not accept unauthenticated mail from an IP without an actual domain attached. > I hope you're not planning to do much spam filtering. a 5s TTL will not make an appreciable effect on RBLs -- If you mixed vodka with orange juice and Milk Of Magnesia, would you get a Philip's Screwdriver? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
But to answer your question, off-hand, I'd say that any TTL under 60s is = suspicious and any TTL under 10s is almost certainly intentionally = abusive. On 09.02.18 23:11, John Levine wrote: I hope you're not planning to do much spam filtering. do you have any evidence where enforcing a 5s minumum leads to serious problems? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users