[69727] in North American Network Operators' Group
Re: Anyone from AT&T here? (AT&T bogus DNSBL answers)
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Mon Apr 19 12:30:18 2004
In-Reply-To: <OFB5F2E766.0F66928F-ON80256E7B.0056EC03-80256E7B.00576C56@radianz.com>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Mon, 19 Apr 2004 12:26:14 -0400
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Apr 19, 2004, at 11:54 AM, Michael.Dillon@radianz.com wrote:
>>> "I finally talked to someone who knows what the problem is. Your sbl
> sites
>>> have been blocked by the standard DNS forwarders supplied by ATT.
>>> This
> is
>>> due to the workload being generated on them from mailservers."
>>
>> Duh! This is really dumb.
>
> It's not dumb at all.
Yes, it is.
It is not only dumb, it is a disservice to their customers. AT&T is
intentionally distributing known bad information. Worse, they hid this
fact from their customer. When customers called the AT&T support line
to find out what happened, they were told nothing was wrong and it must
be on the customer side. My understanding is this was an intentional
lie. Lying to your customers is a Bad Thing [tm], IMHO.
Perhaps it was just a bunch of front line people who did not know /
understand, but considering that they made a change which they knew -
they *KNEW* - would break things, they should have made damned sure
each and every front line person was prepared for the customer calls.
They did not, so they are at best guilty of pathetically poor customer
service, and possibly guilty of outright lying to their customers.
If I paid AT&T for name service (even as part of a larger package of
offerings - e.g. transit), I would be *VERY* upset.
> DNSBLs are using the DNS to do general purpose database
> lookups instead of using a generic database lookup
> protocol like LDAP. It's not surprising that this sort
> of ugly hack has unintended side effects. After all, people
> who build DNS infrastructure intend it to be used to
> for generic DNS translations, not generic database lookups.
A DNS query is a database lookup. It is probably the most widely
distributed, robust database ever designed an implemented. But it is a
database, and the DNSBL queries are well formed DNS queries. The only
difference between a DNSBL query and a normal host lookup is the source
zone file and rate.
I wonder if Google gets too many DNS hits if AT&T will decide to filter
that zone?
> Funny thing is that most mailer software that uses
> DNSBLs also supports LDAP database lookups so there is
> really no good reason why DNSBLs exist in the first
> place.
Have the mailers always supported LDAP? Do all firewalls which work as
MTAs in many 1000s of corporations allow LDAP queries by default?
Perhaps the creators and maintainers of the DNSBLs like to use DNS and
do not like LDAP?
There are many, many possible "good reasons" for the DNSBLs to exist.
> IMHO, the DNSBL experiment has proved the usefulness
> of having a variety of blacklist/whitelist/greylist databases
> for mail servers to query. It's high time that folks
> shift these databases onto a protocol that does not interfere
> with the Internet's critical DNS systems and I believe that
> LDAP is that protocol.
That is possible, and much more reasonable than claiming that they have
no good reason to exist in the first place.
If you believe this so fervently, perhaps you should put in effort to
make it happen, instead of discarding out of hand the effort, time, and
money the current maintainers have donated out to make the community
better.
--
TTFN,
patrick