On Thu, 24 Aug 2007, Paul Vixie wrote:
Is it a placebo or does it actually have an effect? the inbound tcp/53 i see blocked by SH-DROP isn't the result of truncation or any other response of mine that could reasonably trigger TCP retry. so on the basis that it's no longer reaching me and can't have been for my good, SH-DROP has at least that good effect. i also see a lot of nameserver transaction timeouts in my own logs, and it's all (*ALL*) for garbage domains such as much be used by phishers or spammers.
Unfortunately, on today's Internet if you randomly picked a couple of hundred network blocks of the same size you would see the same thing. Lame delegations and brokeness is well distributed across the Internet. Between Cisco Content Distributors emmitting tcp/53 syn/acks and broken nat/firewalls that block udp but not tcp; inbound tcp/53 without truncation or any previous query/response from almost anywhere on the Internet isn't unusual.
why would i install something that required manual maintainance or depended on me still being present? other than putting system level logic in my home directory, i detect no sysadmin sin here.
Other people do, which often leads to brokeness. Unfortunately again, if you use your favorite search engine you will find several instances that read something like "we also have the DROP list in an ACL on our router, but we don't monitor it." I have found two year old copies of the DROP list in networks. Network blocks are regularly added *AND REMOVED* from the Spamhaus DROP list.
If you do have a process in place, not only for routing but also for your new customer order process, it is a useful source of information.
agreed.
I think we're in violent agreement. It can be useful if used correctly, it can be harmful if used incorrectly.