Quoting "David F. Skoll" <d...@roaringpenguin.com>:
On Mon, 9 Jun 2014 11:51:21 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:
> So there is merit in building a distributed look-up system using SA.
Distributed lookup of *what*, though? Can you clarify that part of
your idea? Are you referring to distributed whois queries for a
domain name, to determine its age?
Well, here's how it could be done. Imagine someone runs a DNS zone
for "newdomain.example.net". You want to see if "example.org" is a new
domain, so you look up a TXT record for example.org.newdomain.example.net.
The DNS software that serves the zone newdomain.example.net runs
the following pseudo-code when "example.org" is looked up:
IF example.org is in my database
THEN
return the TXT record associated with example.org
update the last-looked-up time for example.org
ELSE
generate a TXT record of the form YYYYMMDDHHMMSS corresponding to
current time (UTC)
insert it in the database
return it
ENDIF
A background job will periodically clean out domains that haven't been
queried in a long time.
The clever part is that once lots of sites begin using this in their
SA setups, we'll very quickly build up quite an accurate database of
newly-seen domains that's completely independent of any registrar for
a data source.
Yes, spammers can poison it by specifically looking up a domain,
waiting a couple of days, and then spamming. But I think most won't bother
(witness how effective greylisting still is.)
Furthermore, you can ignore all but the first few hundred lookups before you
enter the TXT record in the database; this will make it more expensive
for spammers to poison the data. Or you could not enter a record in the
database until it has been looked up from 100 different IP addresses... I
can think of a few other countermeasures.
So.... who's volunteering to do this? :)
Regards,
David.
The point was, I have already done this, and have it in production. I
did this cause this subject keeps coming up from time to time, and I
was personally interested to see the results of it.
And I do agree with Rob McEwen on many points. And I would be
hisentant to outright block. But so far, and I doubt much in real
usage, and haven't found any yet, any issues with blocking <1day
outright.
But then the only way to be completely sure of that, will be time.
