Mr Pilkington
| reply to GOLFnSUN
Re: Public pressure works against prominent compan
Again, allow me to point out that the "zombie networks" would be completely ineffective if a DNS server refused all local MX record requests except from its own mail servers. Regular users have no need for MX lookups except for serving spam.
MX requests from "the world" would be answered only for domains for which the server is authoritative. The only machines that could request any MX record would be those IPs listed in a conf file -- like your mail and web servers for example.
Think about it - it's much less restricting and inconvienent than a blanket filter on port 25. |
|
Matchstick
join:2001-09-08
UK
| Errrm I'm no DNS expert but AIUI, if a SMTP server asks a DNS server for an MX record for which it is non-authoritative, the only way for the DNS server to find the MX record is to request it from a DNS server which *is* authoritative for the domain.
So if this is correct, you HAVE to continue to allow DNS requests for MX records from outside a small ACL of IPs.
And then how can the authoritative DNS server easily tell the difference between a legitimate request from a non-authoritative DNS server and a request direct from a zombied PC ? |
|
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| reply to Mr Pilkington
I thought that MX records were for telling SMTP servers where to send the mail.
I'll send a mail to someone at dslreports.com using my ISP
My email client is configured to send stuff to mail.mchsi.com
My email client looks up mail.mchsi.com using my ISP's DNS lookup servers 204.127.202.4 or 216.148.227.68
It either finds it in the cache or tells me to go the dns server for that domain or does it itself (confused on how this part works)
My email client connects to 204.127.203.151 and sends the message
mail.mchsi.com (204.127.203.151) sees that I'm sending something to dslreports.com
mail.mchsi.com (204.127.203.151) looks up the DNS server of dslreports.com or finds it in cache using it's DNS server (probably the same as mine)
It looks to see if there is an MX record and if it finds one it uses it and looks up the IP address of them using DNS because the addresses are URLs
It tries the lowest priority number and goes up until it connects to one
If it doesn't find an MX record it just uses the web server (209.123.109.175)
It connects using one of the methods above and sends it on it's way
This is at least how I understand it.
--
"The bad news is that we are told that Michael Powell, one of Washington's better bureaucrats, is calling it quits today after four years at the helm of the Federal Communications Commission." - WSJ 2005/01/21 |
|
pog
Premium
join:2004-06-03
Kihei, HI
 ·Hawaiian Telcom
| reply to Mr Pilkington
a) compiling and maintaining the required whitelist is not some trivial task. I'd think it's cumbersome/tedious/problematic enough that that alone would deter anyone from going for it.
b) what about the case where an ISP's caching DNS server is used by more than one class of user (ie residential, business users, their own mail servers, etc). How will you decide which request you will honor and which you won't? Perhaps you're thinking to force each mail server into running their own local DNS?
c) this doesn't seem much different than existing firewalling/blocklisting except that your protection is indirect... it wouldn't take much for an attacker to learn the IP address of the intended victim and then feed it manually to the zombies and then... what? The path is clear?
So... no... your approach would be far more ineffective, restrictive and inconvenient than an outbound/off-net block of port 25 traffic which does a better job of destroying a zombie's SMTP abilities. Of course, we don't need to rehash the pros/cons of port 25 blocking here... that's another topic altogether.
Perhaps, the following should be required reading 
»www.rhyolite.com/anti-spam/you-might-be.html |
|
robscullion
Premium
join:2001-12-07
Philadelphia, PA
·Speakeasy
| That rhyolite link is great! I agree...it should definitely be required reading.
I'd say lurking in NANAE (»groups-beta.google.com/group/new···se.email) for a month should be considered required as well, but that'd fall into the category of "cruel and unusual punishment". |
|
