You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Andrzej Adam Filip <an...@gmail.com> on 2011/07/07 15:31:47 UTC

Re: TTL and DNSBLs [per-IP negative-cache TTL]

"David F. Skoll" <df...@roaringpenguin.com> wrote:
> On Thu, 7 Jul 2011 11:50:44 +0200
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
>> Negative caching can be effective or in this case even 
>> ineffective too, can't it?
>
> The point is that by definition, you can't have a per-IP
> negative-cache TTL.

But it is possible to use a wildcard DNS record for "not listed", 
is not it? :-)

The question is: Would it be cost effective?

-- 
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
I never met a man I didn't want to fight.
  -- Lyle Alzado, professional football lineman

Re: TTL and DNSBLs [per-IP negative-cache TTL]

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>"David F. Skoll" <df...@roaringpenguin.com> wrote:
>> On Thu, 7 Jul 2011 11:50:44 +0200
>> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>>
>>> Negative caching can be effective or in this case even
>>> ineffective too, can't it?
>>
>> The point is that by definition, you can't have a per-IP
>> negative-cache TTL.

On 07.07.11 15:31, Andrzej Adam Filip wrote:
>But it is possible to use a wildcard DNS record for "not listed",
>is not it? :-)

it can, but it would have no positive effect due to way how wildcards 
in DNS work.

>The question is: Would it be cost effective?

there would be a cost of returning positive answer instead of negative.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them

Re: TTL and DNSBLs [how to improve DNSBL/DNSWL "cache-ability"]

Posted by Andrzej Adam Filip <an...@gmail.com>.

"David F. Skoll" <df...@roaringpenguin.com> wrote:
> On Thu, 07 Jul 2011 15:31:47 +0200
> Andrzej Adam Filip <an...@gmail.com> wrote:
>
>> > The point is that by definition, you can't have a per-IP
>> > negative-cache TTL.
>
>> But it is possible to use a wildcard DNS record for "not listed", 
>> is not it? :-)
>
> That would not work well at all... think about the ramifications. :)
> Either the cached wildcard record would prevent you from querying IPs
> you've never seen before (in which case the DNSBL would be useless) or
> it would forward the specific query anyway (in which case it does nothing
> to solve the problem.)

In the email you replied I have merely suggested using wildcards for */24
and */16 nets with "not listed" record to allow setting different TTL.
[ As I understand it will do little beyond allowing custom TTL]

> Anyway, IMO, DNS should not be used for blacklist lookups over the
> Internet.  DNS was never designed for that; it just happens to
> sort-of-work.  DNSRBLs are frequently-changing and are supposed to
> provide up-to-the-minute information.  DNS is a good protocol for
> querying a local authoritative name server, but it's not good for
> distributing large volumes of quickly-changing, required-to-be-fresh
> data across the Internet.

*But*
a1) DNS servers (forwarders) can be modified e.g. to treat cached record
    for 3.2.1.dnsbl.example.net as matching query for 4.3.2.1.dnsbl.example.net
    [ on per domain basis or per *new* DNS record ]
a2) DNS servers (authoritative) may be modified to *append* such "more general"
    reply when possible
b) I bet [not too much :-) ] that some tricks with delegations 
   (NS records) in 4.3.2.1.in-addr.arpa style structure would allow
   to achieve better "negative caching" for */24 and */16 nets.

> (What's saving us is computing power and bandwidth.  Modern name servers
> can handle a huge number of queries without too much trouble, so people
> never even noticed that caching wasn't buying them anything.)

To put in a way we may both accept:
Improving DNSBL/DNWL "cache-abbility" is not an urgent need :-)

-- 
[pl>en: Andrew] Andrzej Adam Filip : anfi@onet.eu
Eeny, Meeny, Jelly Beanie, the spirits are about to speak!
  -- Bullwinkle Moose

Re: TTL and DNSBLs [per-IP negative-cache TTL]

Posted by "David F. Skoll" <df...@roaringpenguin.com>.

On Thu, 07 Jul 2011 15:31:47 +0200
Andrzej Adam Filip <an...@gmail.com> wrote:

> > The point is that by definition, you can't have a per-IP
> > negative-cache TTL.

> But it is possible to use a wildcard DNS record for "not listed", 
> is not it? :-)

That would not work well at all... think about the ramifications. :)
Either the cached wildcard record would prevent you from querying IPs
you've never seen before (in which case the DNSBL would be useless) or
it would forward the specific query anyway (in which case it does nothing
to solve the problem.)

Anyway, IMO, DNS should not be used for blacklist lookups over the
Internet.  DNS was never designed for that; it just happens to
sort-of-work.  DNSRBLs are frequently-changing and are supposed to
provide up-to-the-minute information.  DNS is a good protocol for
querying a local authoritative name server, but it's not good for
distributing large volumes of quickly-changing, required-to-be-fresh
data across the Internet.

(What's saving us is computing power and bandwidth.  Modern name servers
can handle a huge number of queries without too much trouble, so people
never even noticed that caching wasn't buying them anything.)

Regards,

David.