DNS question, null MX records
I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 ________________________________ This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
Hello, You could use: Local.example.com. IN A 127.0.0.1 Example.com. IN MX 10 local.example.com. This way systems shouldn't deliver it at your system. What you did mention is something we don't allow our customers to do (if I am correct). With kind regards, Mark Scholten -----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: dinsdag 15 december 2009 16:18 To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 ________________________________ This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
* Eric J. Esslinger:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
I think this is quite controversal. The best approach still seems to be an SMTP rejecter on a dedicated IP address. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On Tue, 15 Dec 2009, Florian Weimer wrote:
* Eric J. Esslinger:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
I think this is quite controversal.
My impression from discussions on various IETF lists is that most people think it is a good idea, it is already reasonably widely implemented, but no-one has the time and persistence to push a spec through to publication. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
I disagree. There was considerable concern with a misuse of a mechanism and its effect on various systems. That, from discussion on the IETF mailing list I was on when it was discussed there. There was no rough consensus that I could see. On Dec 15, 2009, at 2:09 PM, Tony Finch wrote:
On Tue, 15 Dec 2009, Florian Weimer wrote:
* Eric J. Esslinger:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
I think this is quite controversal.
My impression from discussions on various IETF lists is that most people think it is a good idea, it is already reasonably widely implemented, but no-one has the time and persistence to push a spec through to publication.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On 2009-12-15, at 19:09, Tony Finch wrote:
On Tue, 15 Dec 2009, Florian Weimer wrote:
* Eric J. Esslinger:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
I think this is quite controversal.
My impression from discussions on various IETF lists is that most people think it is a good idea, it is already reasonably widely implemented, but no-one has the time and persistence to push a spec through to publication.
When I attempted to document a similar idea (using an empty label in the MNAME field of an SOA record in order to avoid unwanted DNS UPDATE traffic) the consensus of the room was that the idea was both controversial and bad :-) http://tools.ietf.org/html/draft-jabley-dnsop-missing-mname-00 Joe
In message <167CAB40-71D7-4BF9-988A-1A188B433C37@hopcount.ca>, Joe Abley writes :
On 2009-12-15, at 19:09, Tony Finch wrote:
* Eric J. Esslinger: =20
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . =20 I think this is quite controversal. =20 My impression from discussions on various IETF lists is that most =
On Tue, 15 Dec 2009, Florian Weimer wrote: people think it is a good idea, it is already reasonably widely implemented, = but no-one has the time and persistence to push a spec through to = publication.
When I attempted to document a similar idea (using an empty label in the = MNAME field of an SOA record in order to avoid unwanted DNS UPDATE = traffic) the consensus of the room was that the idea was both = controversial and bad :-)
http://tools.ietf.org/html/draft-jabley-dnsop-missing-mname-00
Well UPDATE traffic is supposed to go to the nameservers listed in the NS RRset prefering the MNAME if and only if the MNAME is a nameserver. Lots of update clients don't do it quite right but there are some that actually send to all the nameservers. Setting the MNAME to "." does not actually address the problem. Mark
Joe
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
I realize we're a bit off-topic, but to be tangential to the original topic, and thus barely relevant: (Presuming the "sink.arpa." thing succeeds, big presumption I realize...) So, how about using sink.arpa. as a(n) MNAME? Or perhaps, one of the hosts listed in AS112? Maybe a new AS112 entry that resolves to one of the IP addresses mentioned already (127.0.0.1 and friends)? (Too bad there isn't a reserved IP address that definitively goes to /dev/null locally. Or is there?) Does an MNAME really need to be fully qualified? Cute idea: use the "search" of non-fully-qualified names, to direct bad UPDATE traffic to a very local server, e.g. "ns1" (no dot). It would also be nice to have a place-holder in DNS that "resolves" (in the loose sense) to an appropriate pre-defined "thing", like the default nameserver for a client, or "yourself" for a resolver. But I digress. :-) Brian -----Original Message-----
When I attempted to document a similar idea (using an empty label in the = MNAME field of an SOA record in order to avoid unwanted DNS UPDATE = traffic) the consensus of the room was that the idea was both = controversial and bad :-)
http://tools.ietf.org/html/draft-jabley-dnsop-missing-mname-00
Well UPDATE traffic is supposed to go to the nameservers listed in the NS RRset prefering the MNAME if and only if the MNAME is a nameserver. Lots of update clients don't do it quite right but there are some that actually send to all the nameservers. Setting the MNAME to "." does not actually address the problem. Mark
Joe
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 2009-12-16, at 20:44, Brian Dickson wrote:
So, how about using sink.arpa. as a(n) MNAME?
That was another imagined use of SINK.ARPA.
Or perhaps, one of the hosts listed in AS112?
My personal opinion is that there's an operational need for some people to receive an explicit reply from AS112 servers, or at least that a change in current behaviour will have noticeable consequences.
Does an MNAME really need to be fully qualified?
All names in the DNS are fully-qualified on the wire, regardless of what short-cuts are available in the zone file format understood by particular pieces of software.
Cute idea: use the "search" of non-fully-qualified names, to direct bad UPDATE traffic to a very local server, e.g. "ns1" (no dot).
All names in the DNS are fully-qualified on the wire.
It would also be nice to have a place-holder in DNS that "resolves" (in the loose sense) to an appropriate pre-defined "thing", like the default nameserver for a client, or "yourself" for a resolver.
Beauty is apparently in the eye of the beholder :-) Joe
On Dec 15, 2009, at 10:17 AM, Eric J Esslinger wrote:
I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while)
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers.
It's valid. But if you think all spammers will respect it, you're in for a surprise. :( There is also a recommendation to point the MX at somewhere unroutable (192.2.x.x IIRC, but don't quote me on that). This will force the spammer / bot to try to connect to something that does not exist and use up sockets & resources, hopefully slowing it down. I've also heard that pointing the MX at localhost is useful, for reasons that should be obvious. The latter has the slight advantage of not making networks with a default route carry packets to the DFZ. I'm sure some will find errors with all three suggestions. I honestly don't know which is the best / worst. Personally I'd set up a tiny mail server that accepted connections & feed them to /dev/null, or maybe forwarded the whole feed to a spam trap or DCC or the like. -- TTFN, patrick
On 12/15/2009 10:17 AM, Eric J Esslinger wrote:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers.
Pulling from my often mangled memory: This was proposed in a draft RFC that went nowhere. Parsing the Null MX record was implemented in at least one fairly popular MTA (Postfix?) The null MX record was published by whoever got (some of?) the Excite @Home domain(s) after that company flamed out. This results in the occasional post to various mailing lists by people wondering why they are queuing mail bound for said domain. So to the point of your question, it may reduce some SMTP connection attempts to you, but will not likely eliminate them. -- Dave
On 2009-12-15, at 15:45, Dave Sparro wrote:
On 12/15/2009 10:17 AM, Eric J Esslinger wrote:
I found a reference to a null MX proposal, constructed so: example.com IN MX 0 .
Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers.
Pulling from my often mangled memory:
This was proposed in a draft RFC that went nowhere.
http://tools.ietf.org/html/draft-jabley-sink-arpa-01 One of the imagined purposes of this draft is to be able to write example.com. IN MX 0 SINK.ARPA. and be confident that SINK.ARPA does not exist. Joe
I've had a couple of off-list comments already about using it as/donating it to a spam trap; That is a good idea and I actually thought of that. However, the address was formerly used for email addresses for our customers and for our business (some 10 years ago it was registered, but has not had any valid dns records set for roughly 6 years), and we still deal from time to time with mail being sent to old addresses on that domain for various reasons (several dns registrations, for example, we've had to help these people go through the fax change system because we don't want to go to the trouble of setting up to receive email on this domain again) So in any case, due to customer privacy concerns we feel we can't do that. Also I have set the spf -all on it, for those that look for these records to auot-reject email from the domain. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: Tuesday, December 15, 2009 9:18 AM To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 ________________________________ This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Tue, Dec 15, 2009 at 7:46 AM, Eric J Esslinger <eesslinger@fpu-tn.com> wrote:
So in any case, due to customer privacy concerns we feel we can't do that.
If you don't want to handle email for the long-obsolete customer accounts, but just don't want to send that mail to anybody else, it's pretty easy to run a teergrube or other tarpit system to trap any mail addressed to the A-record. These systems basically accept mail v.e.rrrr.yyyyy....s....l.....o...w...l..yyyyy so that spammers can waste their time talking to your tarpit instead of to somebody who cares, and so you can trap their IP addresses and potentially block them or use them to support your other spam-blockers if you want. You don't need a high-performance machine because all the users are spammers and you're *trying* to give them bad service. (Some variants, like LaBrea, are used for connection attempts to non-existent machines - they'll send a syn-ack so the attacker thinks he has a successful 3-way handshake, which slows down scanning attacks.) If you do want to accept mail for the long-obsolete customer accounts, so you can give them a proper human-readable rejection message, you may need to customize. It looks like Exim supports that, though I haven't tried it. -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Eric J Esslinger wrote:
I have a domain that exists solely to cname A records to another domain's websites. [...] I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . [...] Question: Is this a valid dns construct or did the proposal die?
It's "valid", but you will probably find people still try to spam to machines on the A records, and all of the other weird and wonderful things that spambots try to do to find a path that will deliver mail... If there is no time that mail should appear *from* this domain name then it's polite to set spf records as such - one of the few things spf is always useful for :-) like this : @ IN TXT "v=spf1 -all" ... all this means in practice though is that spammers who actually bother to check for this, will find someone else to masquerade. But you won't have to deal with the associated attempted bounce delivery connections... Best wishes Andy
On 12/15/09 8:06 AM, Andy Davidson wrote:
Eric J Esslinger wrote:
I have a domain that exists solely to cname A records to another domain's websites. [...] I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . [...] Question: Is this a valid dns construct or did the proposal die?
It's "valid", but you will probably find people still try to spam to machines on the A records, and all of the other weird and wonderful things that spambots try to do to find a path that will deliver mail...
SRV records documented the hostname "." as representing "no service". However, errors made by non-RFC-compliant clients still generate a fair amount of root traffic attempting to resolve A records for ".". The MX record never defined a hostname "." to mean "no service" so it would be unwise to expect email clients will interpret this as a special case meaning "no service" as well. One might instead consider using: example.com. IN MX 0 192.0.2.0 IN MX 10 192.0.2.1 ... IN MX 90 192.0.2.9 where 192.0.2.0/24 represents a TEST-NET block. This should ensure traffic will not hit the roots or your servers. Assuming a sender tries all of MX addresses listed, they may still attempt to resolve A records for example.com. This MX approach will affect those failing to validate email prior to acceptance, and, of course, spammers. -Doug
In message <4B284376.3000800@mail-abuse.org>, Douglas Otis writes:
On 12/15/09 8:06 AM, Andy Davidson wrote:
Eric J Esslinger wrote:
I have a domain that exists solely to cname A records to another domain's websites. [...] I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . [...] Question: Is this a valid dns construct or did the proposal die?
It's "valid", but you will probably find people still try to spam to machines on the A records, and all of the other weird and wonderful things that spambots try to do to find a path that will deliver mail...
SRV records documented the hostname "." as representing "no service". However, errors made by non-RFC-compliant clients still generate a fair amount of root traffic attempting to resolve A records for ".". The MX record never defined a hostname "." to mean "no service" so it would be unwise to expect email clients will interpret this as a special case meaning "no service" as well. One might instead consider using:
example.com. IN MX 0 192.0.2.0 IN MX 10 192.0.2.1 ... IN MX 90 192.0.2.9
Which will expand to: example.com. IN MX 0 192.0.2.0.example.com. IN MX 10 192.0.2.1.example.com. .... IN MX 90 192.0.2.9.example.com. MX records DO NOT take IP addresses.
where 192.0.2.0/24 represents a TEST-NET block.
This should ensure traffic will not hit the roots or your servers. Assuming a sender tries all of MX addresses listed, they may still attempt to resolve A records for example.com. This MX approach will affect those failing to validate email prior to acceptance, and, of course, spammers.
-Doug
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, 16 Dec 2009, Mark Andrews wrote:
Douglas Otis wrote:
One might instead consider using:
example.com. IN MX 0 192.0.2.0 IN MX 10 192.0.2.1 ... IN MX 90 192.0.2.9
Which will expand to:
example.com. IN MX 0 192.0.2.0.example.com. IN MX 10 192.0.2.1.example.com. .... IN MX 90 192.0.2.9.example.com.
MX records DO NOT take IP addresses.
Or if he puts in the trailing dot it'll still cause the root server traffic he was trying to avoid. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On 12/16/09 3:59 AM, Tony Finch wrote:
On Wed, 16 Dec 2009, Mark Andrews wrote:
Douglas Otis wrote:
One might instead consider using:
example.com. IN MX 0 192.0.2.0 IN MX 10 192.0.2.1 ... IN MX 90 192.0.2.9
Which will expand to:
example.com. IN MX 0 192.0.2.0.example.com. IN MX 10 192.0.2.1.example.com. .... IN MX 90 192.0.2.9.example.com.
MX records DO NOT take IP addresses.
Sorry for embarrassing mistake. To avoid server access and hitting roots: host-1.example.com. IN A 192.0.2.0 ... host-10.example.com. IN A 192.0.2.9 example.com. IN MX 0 host-1.example.com. ... example.com. IN MX 90 host-10.example.com. -Doug
On 2009-12-17, at 00:02, Douglas Otis wrote:
To avoid server access and hitting roots:
host-1.example.com. IN A 192.0.2.0 ... host-10.example.com. IN A 192.0.2.9
example.com. IN MX 0 host-1.example.com. ... example.com. IN MX 90 host-10.example.com.
This will still cause DNS requests to be sent towards 192.0.2.0 and 192.0.2.9, and they may not be dropped at the first router depending on local conditions. There are implications of state in the local resolver. Choosing MX RDATA with a name that is known not to exist ideally will only exercise the local cache for the non-existent name, since it will perhaps not be the first such query and the non-existence will already be cached. SINK.ARPA doesn't exist today. The document I referred to only exists to enforce that non-existence in the future; operationally you could install MX records towards SINK.ARPA today and get the desired effect, regardless of the state of the document. Joe
On 12/16/09 4:08 PM, Joe Abley wrote:
On 2009-12-17, at 00:02, Douglas Otis wrote:
To avoid server access and hitting roots:
host-1.example.com. IN A 192.0.2.0 ... host-10.example.com. IN A 192.0.2.9
example.com. IN MX 0 host-1.example.com. ... example.com. IN MX 90 host-10.example.com.
This will still cause DNS requests to be sent towards 192.0.2.0 and 192.0.2.9, and they may not be dropped at the first router depending on local conditions. There are implications of state in the local resolver.
Choosing MX RDATA with a name that is known not to exist ideally will only exercise the local cache for the non-existent name, since it will perhaps not be the first such query and the non-existence will already be cached.
SINK.ARPA doesn't exist today. The document I referred to only exists to enforce that non-existence in the future; operationally you could install MX records towards SINK.ARPA today and get the desired effect, regardless of the state of the document.
The ARPA technique, as does pointing to the root, relies upon negative caching of non-existent A records. This allows spammers to quickly determine the inability to resolve addresses for MX hostnames and thereby bypass connection attempts. Offering a sequence in the TEST-NET block was to thwart the alternative of directly using the A record, which is likely to point to a server. If MX TEST-NET became common, legitimate email handlers unable to validate messages prior to acceptance might find their server resource constrained when bouncing a large amount of spam as well. -Doug
Douglas Otis <dotis@mail-abuse.org> writes:
If MX TEST-NET became common, legitimate email handlers unable to validate messages prior to acceptance might find their server resource constrained when bouncing a large amount of spam as well.
none of this will block spam. spammers do not follow RFC 974 today (since i see a lot of them come to my A RR rather than an MX RR, or in the wrong order). any well known pattern that says "don't try to deliver e-mail here" will only be honoured by friend people who don't want us to get e-mail we don't want to get. -- Paul Vixie KI6YSY
On 12/16/09 4:48 PM, Paul Vixie wrote:
Douglas Otis<dotis@mail-abuse.org> writes:
If MX TEST-NET became common, legitimate email handlers unable to validate messages prior to acceptance might find their server resource constrained when bouncing a large amount of spam as well.
none of this will block spam. spammers do not follow RFC 974 today (since i see a lot of them come to my A RR rather than an MX RR, or in the wrong order). any well known pattern that says "don't try to deliver e-mail here" will only be honoured by friend people who don't want us to get e-mail we don't want to get.
Agreed. But it will impact providers generating a large amount of bounce traffic, and some portion of spam sources that often start at lower priority MX records in an attempt to find backup servers without valid recipient information. In either case, this will not cause extraneous traffic to hit roots or ARPA. -Doug
Douglas Otis <dotis@mail-abuse.org> writes:
Agreed. But it will impact providers generating a large amount of bounce traffic, and some portion of spam sources that often start at lower priority MX records in an attempt to find backup servers without valid recipient information. In either case, this will not cause extraneous traffic to hit roots or ARPA.
if you're just trying to stop blowback from forged-source spam, and not trying to stop the spam itself, then some mechanism like an unreachable MX does seem called for. note that those approaches will cause queuing on the blowerbackers, rather than outright reject/die. other approaches that could cause outright reject/die would likely direct the blowback to the blowback postmasters, who are as innocent as the spam victims. i'm not sure there's a right way to do this in current SMTP. i used to think we could offer to verify that a piece of e-mail had come from us using some kind of semi-opaque H(message-id) scheme, but in studying it i found that as usual with spam the economic incentives are all backwards. -- Paul Vixie KI6YSY
I concur, in fact I see them come in at precisely the wrong order, lowest preference first in the hopes that we're not running spam filtering on those particular hosts. I have found that putting a bogus mx record at lowest preference slows stuff down though. One of my services is for a company with about 150 mboxes, and I receive no less than 1.5mill spam emails a month for it. -----Original Message----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Thursday, 17 December 2009 11:48 AM To: nanog@merit.edu Subject: Re: DNS question, null MX records Douglas Otis <dotis@mail-abuse.org> writes:
If MX TEST-NET became common, legitimate email handlers unable to validate messages prior to acceptance might find their server resource constrained when bouncing a large amount of spam as well.
none of this will block spam. spammers do not follow RFC 974 today (since i see a lot of them come to my A RR rather than an MX RR, or in the wrong order). any well known pattern that says "don't try to deliver e-mail here" will only be honoured by friend people who don't want us to get e-mail we don't want to get. -- Paul Vixie KI6YSY
On Wed, 16 Dec 2009, Douglas Otis wrote:
To avoid server access and hitting roots:
host-1.example.com. IN A 192.0.2.0 host-10.example.com. IN A 192.0.2.9
example.com. IN MX 0 host-1.example.com. example.com. IN MX 90 host-10.example.com.
This is not very good from the point of view of a legitimate but mistaken sender, because their messages will be queued and retried. The advantage of pointing MX records at nonexistent hosts is most MTAs (and all common ones) will stop trying to deliver the message immediately. It is perhaps more polite to use a nonexistent name that you control, but that doesn't allow the source MTA to skip further DNS lookups, unlike the nullmx or sink.arpa ideas. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On 12/17/09 4:54 AM, Tony Finch wrote:
On Wed, 16 Dec 2009, Douglas Otis wrote:
To avoid server access and hitting roots:
host-1.example.com. IN A 192.0.2.0 host-10.example.com. IN A 192.0.2.9
example.com. IN MX 0 host-1.example.com. example.com. IN MX 90 host-10.example.com.
This is not very good from the point of view of a legitimate but mistaken sender, because their messages will be queued and retried. The advantage of pointing MX records at nonexistent hosts is most MTAs (and all common ones) will stop trying to deliver the message immediately. It is perhaps more polite to use a nonexistent name that you control, but that doesn't allow the source MTA to skip further DNS lookups, unlike the nullmx or sink.arpa ideas.
"." or "*.ARPA." are domains that won't resolve A records. Omit the A record in the above example accomplishes the same thing. DNS traffic can be reduced with long TTLs by using the TEST-NET technique. Pointing MX records toward root or ARPA domains exposes shared infrastructure to nuisance traffic from perhaps millions of sources expecting NSEC responses at negative caching rates. Traffic that should be handled by the name server declaring the service hostname. Better operators handling large email volumes reduce bounces and use retry back-off. Those who don't will find themselves disproportionally affected by a TEST-NET scheme. This seems to be a good thing, since there are far too many operators who carelessly accept email and expect others to deal with spoofed DSNs. Often the problem is due to serves being behind a border server lacking a valid recipient list that filters spam. The subsequent server with the valid recipient lists then aggressively attempts to deliver a growing number of DSNs having spoofed addresses holding spam that gets past filters. Why be friendly toward this type of behavior, especially at the expense of shared infrastructure? -Doug
On Thu, Dec 17, 2009 at 6:54 AM, Tony Finch <dot@dotat.at> wrote:
On Wed, 16 Dec 2009, Douglas Otis wrote: > more polite to use a nonexistent name that you control, but that doesn't allow the source MTA to skip further DNS lookups If you want to be kind, point the MX to an A record that resolves to 127.0.0.1. Common MX'es should immediately reject, and report a "configuration error"/MX loop with the domain.
Your intent will also be clear, to just about everyone, it will be obvious the MX is intentionally broken. Other tricks may be more obscure, will be less obvious that you don't want mail, and may look like a mistake -- you might even get visitors to your domain contacting you to report the broken MX record. An alternative to resolving MX to an invalid IP might be to cut to the chase and just make further DNS lookups impossible altogether... @ 604800 IN MX MX.BOGUSMX BOGUSNS 604800 IN A 0.0.0.0 BOGUSMX 604800 IN NS BOGUSNS Or for that matter delegate the subdomain to 255.255.255.255. The recursive resolvers already have to immediately reject DNS delegation to broadcast addresses and the like. Though i'd be afraid of finding that some obscure resolver didn't...... [EG] "Gee thanks... some spammer exploited my open relay, and your broadcast NS delegation, caused my LAN to get swamped by my mail servers' DNS lookups while it was trying to send the 10 million spams to you...." -- -J
In message <6eb799ab0912172126g1eac7e49ve8f803552f6dbd82@mail.gmail.com>, James Hess writes:
On Thu, Dec 17, 2009 at 6:54 AM, Tony Finch <dot@dotat.at> wrote:
On Wed, 16 Dec 2009, Douglas Otis wrote: > more polite to use a nonexisten t name that you control, but that doesn't allow the source MTA to skip furt her DNS lookups If you want to be kind, point the MX to an A record that resolves to 127.0.0.1. Common MX'es should immediately reject, and report a "configuration error"/MX loop with the domain.
Your intent will also be clear, to just about everyone, it will be obvious the MX is intentionally broken. Other tricks may be more obscure, will be less obvious that you don't want mail, and may look like a mistake -- you might even get visitors to your domain contacting you to report the broken MX record.
An alternative to resolving MX to an invalid IP might be to cut to the chase and just make further DNS lookups impossible altogether...
@ 604800 IN MX MX.BOGUSMX BOGUSNS 604800 IN A 0.0.0.0 BOGUSMX 604800 IN NS BOGUSNS
Or for that matter delegate the subdomain to 255.255.255.255. The recursive resolvers already have to immediately reject DNS delegation to broadcast addresses and the like.
Though i'd be afraid of finding that some obscure resolver didn't......
[EG] "Gee thanks... some spammer exploited my open relay, and your broadcast NS delegation, caused my LAN to get swamped by my mail servers' DNS lookups while it was trying to send the 10 million spams to you...."
-- -J
Just document "MX 0 ." and be done with it. MTA and MUA vendors will update their products. Most caching nameserver negatively cache the non-existance of address records so the traffic is mostly between the non-updated MTA and the recursive server. 2 queries (A and AAAA) every 3 hours won't kill the roots. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Thu, 17 Dec 2009, James Hess wrote:
Other tricks may be more obscure, will be less obvious that you don't want mail, and may look like a mistake -- you might even get visitors to your domain contacting you to report the broken MX record.
I think that's true with the suggestions in the rest of your post.
An alternative to resolving MX to an invalid IP might be to cut to the chase and just make further DNS lookups impossible altogether... Or for that matter delegate the subdomain to 255.255.255.255. The recursive resolvers already have to immediately reject DNS delegation to broadcast addresses and the like.
That'll result in a SERVFAIL DNS reply which the MTA will treat as a temporary failure. Remember the aim is to get MTAs to give up on undeliverable mail immediately. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
A. Use a valid domain mapped to an unroutable or loopback instead of the . I've decided to use 127.0.0.1 B. Set spf -all, for those who bother to check that to stop inbound mail from your domain. Already had that in place C. Donate the spam to someone who would use it. I can't donate the existing incoming email due to privacy concerns, however, project honeypot uses subdomains (foo@bar.example.com) for it's spam traps and wants unused subdomains so it's traps will be 'clean to start'. I'll see if I can get that done. D. Expect some spammers to detect any MX strangeness you use and bypass it in favor of your A record. Understandable, and none of the referenced records in the DNS files accept mail from outside, connections are silently dropped at the firewall. This is just an attempt to cut the mess coming in because of the A record down in size. E. Set up an actual mail server routing all mail to /dev/null. I'd rather just drop the traffic rather than have another service to maintain/secure/update __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 -----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: Tuesday, December 15, 2009 9:18 AM To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.com IN MX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Tue, 15 Dec 2009 11:51:29 -0600, Eric J Esslinger wrote:
B. Set spf -all, for those who bother to check that to stop inbound mail from your domain.
You might as well also add a DKIM ADSP policy with "dkim=discardable". Similar to your SPF policy, it announces that no unsigned mail (or no mail at all in your case) should come from this domain. But DKIM does not suffer from the problems SPF causes with email forwarding (see recent NANOG thread on that topic). -Phil
participants (17)
-
Andy Davidson
-
Bill Stewart
-
Brian Dickson
-
Daniel Senie
-
Dave Sparro
-
Douglas Otis
-
Eric J Esslinger
-
Florian Weimer
-
James Hess
-
Jay Mitchell
-
Joe Abley
-
Mark Andrews
-
Mark Scholten
-
Patrick W. Gilmore
-
Paul Vixie
-
Phil Vandry
-
Tony Finch