[50264] in North American Network Operators' Group
RE: Security of DNSBL spam block systems
daemon@ATHENA.MIT.EDU (Brad Knowles)
Tue Jul 23 18:08:34 2002
In-Reply-To:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA/zNkI7d3EEmn3+v5Dg
N/l8KAAAAQAAAAW3huYcCFekOs+STSsaqv/AEAAAAA@isprime.com>
Date: Tue, 23 Jul 2002 22:20:58 +0200
To: <pr@isprime.com>, "'Big_Bandwidth'" <big_bandwidth@hotmail.com>,
<nanog@nanog.org>
From: Brad Knowles <brad.knowles@skynet.be>
Errors-To: owner-nanog-outgoing@merit.edu
At 2:29 AM -0400 2002/07/23, Phil Rosenthal wrote:
> IMHO Even the really large DNSBL's are barely used -- I think
> (much) less than 5% of total human mail recipients are behind
> a mailserver that uses one...
Not true. There are plenty of large sites that use them (e.g.,
AOL), and many sites use them to help ensure that they themselves
don't get added to the black lists.
IMO, there is a serious risk of having DNSBL servers attacked and
used as a DoS.
The easiest way would be to check to see if the servers being
used are open public caching recursive servers, in addition to their
authoritative services. If so, then they would be open to cache
poisoning attacks.
That said, I think the bigger black list services are run by
people who have at least half a clue as to how a nameserver should be
operated, and therefore they should be relatively secure. However,
they would still be at risk if one of their parent zones is served by
a nameserver that mixes both authoritative service &
caching/recursive service, and therefore would be easily subject to
cache poisoning.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
