date:20180210

Re: Minimum TTL?

2018-02-10 Thread @lbutlr

On 2018-02-10 (12:15 MST), Barry Margolin  wrote:
> 
> Just because you have the right to do something doesn't mean it's a 
> reasonable thing to do.

No one has made an argument that would imply this is not reasonable.

> And if you're offering a service, you have responsibilities to your customers 
> in addition to rights. They likely have expectations of the quality of your 
> service. Sure, you have the right to disappoint them, but do you really want 
> to do that intentionally if you have alternatives?

I don't think anyone is expecting that respecting a 1-4s TTL is part of a 
service arrangement.


-- 
Outside of a dog, a book is a man's best friend. Inside of a dog, it's
too dark to read.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread Grant Taylor via bind-users


On 02/10/2018 12:15 PM, Barry Margolin wrote:
Just because you have the right to do something doesn't mean it's a 
reasonable thing to do.


I never meant to imply that it was the reasonable thing to do.

I meant to imply that it is my choice how I run my servers.

And if you're offering a service, you have responsibilities to your 
customers in addition to rights. They likely have expectations of the 
quality of your service. Sure, you have the right to disappoint them, 
but do you really want to do that intentionally if you have alternatives?


Part of what my customers paid me to do for 15 years was to run the 
network the way that I thought was best.  In other words, they were 
paying me for my professional opinion.


Granted, it behooved me to make sure that my opinion took into account 
their needs.  That being said, I would tell at least one client a year, 
"I'll do that if you tell me that's what you want.  However my better 
judgment says to do otherwise."  That's when conversations would ensue 
and usually one or the other of us would change our opinion.  Usually it 
was because one or both of us did not have all the information. 
Sometimes it was me, sometimes it was them.  But we did trust each other 
and respect each others opinion, particularly when it diverged form the 
beaten path.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread Matus UHLAR - fantomas


But to answer your question, off-hand, I'd say that any TTL under 60s is
=
suspicious and any TTL under 10s is almost certainly intentionally =
abusive.



On 09.02.18 23:11, John Levine wrote:

I hope you're not planning to do much spam filtering.



On Sat, Feb 10, 2018 at 2:42 PM, Matus UHLAR - fantomas
 wrote:

do you have any evidence where enforcing a 5s minumum leads to serious
problems?


On 10.02.18 19:41, Warren Kumari wrote:

Ok, so I've never used forwarders (actually, that's not strictly true;
I've used them twice, but it was to work around weird issues, and I
felt dirty), but couldn't increasing the TTL cause stupid
configuration issues to become immortal RRs?


we are talking about min-ttl around 10 seconds.


I've seen a number of instances where people who *do* forward manage
to make a loop - this works just fine under normal conditions (at
least with BIND's default of "forward first" - resolver A gets a
question for an answer not in it's cache, it asks B, B asks A, after a
few rounds this hits the forward timeout, and one of them recurses to
find the answer. Now the pair (or pathologically, group) has the
answer, and this will decay, just like any other TTL. Eventually it
expires, you get a brief spike as they both ask each other, and the
process repeats.

If TTLs were capped to a minimum, A would time it out, and ask B. B
will respond with e.g 4 seconds, and A will bump that back up to 5. 4
seconds later, B will time out, and will ask A. A still has 1 second
left, to it answers with 1. B helpfully bumps that back to 5, 1 second
later, A expires, and forwards to B, ...

Now, I'm guessing that I'm missing something obvious here (more than
"Well, don't forward and minimum cap TTLs!" and / or "Don't make loops
of forwarders, it's silly"), but I'm not sure what...


OTOH, I have encountered case where CISCO ALG changed A recods and set TTL
to 0, later admin was complaining about huge number of DNS queries causing
high load on the router...

there are many ways to fsck things up, and many ways wayt so avoid that.
forcing min-ttl is way to avoid one, although it can cause what you
describe. But I do not create loops and would like a possibility to avoid
the latter case.

Note that I am able to coifigure BIND to avoid loops, but I can't affect
CISCO ALG ...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread Warren Kumari

Ok, so I've never used forwarders (actually, that's not strictly true;
I've used them twice, but it was to work around weird issues, and I
felt dirty), but couldn't increasing the TTL cause stupid
configuration issues to become immortal RRs?

I've seen a number of instances where people who *do* forward manage
to make a loop - this works just fine under normal conditions (at
least with BIND's default of "forward first" - resolver A gets a
question for an answer not in it's cache, it asks B, B asks A, after a
few rounds this hits the forward timeout, and one of them recurses to
find the answer. Now the pair (or pathologically, group) has the
answer, and this will decay, just like any other TTL. Eventually it
expires, you get a brief spike as they both ask each other, and the
process repeats.

If TTLs were capped to a minimum, A would time it out, and ask B. B
will respond with e.g 4 seconds, and A will bump that back up to 5. 4
seconds later, B will time out, and will ask A. A still has 1 second
left, to it answers with 1. B helpfully bumps that back to 5, 1 second
later, A expires, and forwards to B, ...

Now, I'm guessing that I'm missing something obvious here (more than
"Well, don't forward and minimum cap TTLs!" and / or "Don't make loops
of forwarders, it's silly"), but I'm not sure what...

W

On Sat, Feb 10, 2018 at 2:42 PM, Matus UHLAR - fantomas
 wrote:
>>> But to answer your question, off-hand, I'd say that any TTL under 60s is
>>> =
>>> suspicious and any TTL under 10s is almost certainly intentionally =
>>> abusive.
>
>
> On 09.02.18 23:11, John Levine wrote:
>>
>> I hope you're not planning to do much spam filtering.
>
>
> do you have any evidence where enforcing a 5s minumum leads to serious
> problems?
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>One OS to rule them all, One OS to find them, One OS to bring them all
> and into darkness bind them ___
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread John Levine

In article  you write:
>The target, instead of very quickly rejecting the spam because of the =
>lack of a domain or the lack of DNS, instead has to deal with thousands =
>of different IPs.

That's not how spam filters work.  They do filtering based on the IP
address sending the spam and maybe the rDNS.  It makes no difference
whatsoever if there is some other random A record pointing at the
spamming host.  You can't even tell.

>> Botnets are computers with IP addresses.  They don't need DNS pointing =
>at them to send spam.
>
>They do to send spam to any mail admin with even half a brain who would =
>not accept unauthenticated mail from an IP without an actual domain =
>attached.

The half a brain generally requires forward and reverse DNS to match
before using them.  If you know a way to do fast flux rDNS on botnets,
I know a lot of people who'd like to talk to you.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread Barry Margolin

In article ,
 Grant Taylor  wrote:

> On 02/09/2018 09:37 AM, Barry Margolin wrote:
> > As long as you understand the implications of what you're doing?
> 
> I don't think my level of understanding has any impact of my ability to 
> override what the zone publisher sets the desired TTL (or any value) to be.
> 
> I have the right to run my network the way that I want to, even in my 
> ignorance or while shooting myself in the foot.

Just because you have the right to do something doesn't mean it's a 
reasonable thing to do.

And if you're offering a service, you have responsibilities to your 
customers in addition to rights. They likely have expectations of the 
quality of your service. Sure, you have the right to disappoint them, 
but do you really want to do that intentionally if you have alternatives?

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread @lbutlr

On 2018-02-09 (21:11 MST), John Levine  wrote:
> 
> In article  you write:
>> For the record, the issue is not RBLs or legitimate domains, it is =
>> spammer scum that set super-low DNS because they are shotgunning spam =
>> from a a vast botnet and they want to have maximal impact, so you get a =
>> different IP for every spam they send. It is a way of trying to =
>> overwhelm a machines tarpits, blacklists, sshguard protections, and =
>> others.
> 
> Um, you have it completely backward.

No, I don't.

AS I explained upthread, the mechanism works something like this.

buy garbage domain. Setup DNS with a  TTL of 1S and have the IP change to 
random machines on your botnet.

Spew Spam at a single mail server.

The target, instead of very quickly rejecting the spam because of the lack of a 
domain or the lack of DNS, instead has to deal with thousands of different IPs.

Everyone of those is going to hit scammer scums DNS servers.

At some point those thousands (tens of thousands? hundreds of thousands?) 
requests are going to have a serious impact on your mail server. Meanwhile, you 
are giving spammer scum a lot of information about how much traffic your server 
can deal with since they can easily see when your responses start to slow down.

> Botnets are computers with IP addresses.  They don't need DNS pointing at 
> them to send spam.

They do to send spam to any mail admin with even half a brain who would not 
accept unauthenticated mail from an IP without an actual domain attached.

> I hope you're not planning to do much spam filtering.

a 5s TTL will not make an appreciable effect on RBLs 

-- 
If you mixed vodka with orange juice and Milk Of Magnesia, would you get
a Philip's Screwdriver?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

2018-02-10 Thread Matus UHLAR - fantomas


But to answer your question, off-hand, I'd say that any TTL under 60s is =
suspicious and any TTL under 10s is almost certainly intentionally =
abusive.


On 09.02.18 23:11, John Levine wrote:

I hope you're not planning to do much spam filtering.


do you have any evidence where enforcing a 5s minumum leads to serious
problems?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

Re: Minimum TTL?

8 matches

Site Navigation

Mail list logo

Footer information