On 15 Jul 2024, at 23:27, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
I have noticed that especially DNS blocklist cause errors like:
Jul 14 01:41:28 fantomas named[1854]: success resolving
'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache
nxdomain'
and blocklists like spamhaus are sensitive to too many queries.
is it possible to disable query minimisation for particular domains?
On 16.07.24 09:23, Mark Andrews wrote:
Is it really too much effort for the servers to return NOERROR instead of
an incorrect NXDOMAIN for the intermediate names? That would get rid of
the log message.
These seem to run rbldnsd which is optimised for memory usage and speed of
response, and returning different replies would I guess affect speed.
It’s changing 1 bit (0 vs 4 for the rcode) in the DNS
header. They don’t even have to lookup if there are names below the
query. The server can just assume that there are records there and return
NOERROR for [0..255].zen.spamhaus.org, [0..255].[0..255].zen.spamhaus.org
and [0..255].[0..255].[0..255].zen.spamhaus.org. Really we would like to
be able to move to strict QNAME minimisation so we don’t need to make all
the other queries after the first NXDOMAIN response but broken
implementations like this are making that difficult. It’s not like this
is a new requirement. A NOERROR response goes back the RFC 1034.
I see there's issue and merge containing exactly this change:
https://github.com/spamhaus/rbldnsd/issues/17
The discussion also mentions things like
There is also quite a lot of consensus in the SMTP World that qname
minimization shouldn't be used on the resolvers used by mail servers
and
For the IP(v4 and v6) datasets, all of them, we could implement a hackish
solution so that when a query for a "partial" ip address is received,
rbldnsd doesn't reply NXDOMAIN but NOERROR instead.
Additionally Spamhaus controls how often resolvers re-query. 10 seconds
is a very short negative response TTL. If they don’t like the query rate
they can control it by returning longer negative cache responses. Named
does check in the cache for negative cache entries to determine whether or
not to make the intermediate QNAME minimisation queries.
Lower negative TTLs allow for faster listing detection.
I also believe that it is in Spamhaus interest to have more paying clients
(although this may not be the primary reason for short negative TTLs).
I guess for now, since the qname minimization increases number of queries
sent and resolving time, I should disable qname-minimization on all named
instances used by mail server.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
