spamassassin-dev December 2011 archive
Main Archive Page > Month Archives  > spamassassin-dev archives
spamassassin-dev: [Bug 6728] DNSBLs need a way to turn off queri

[Bug 6728] DNSBLs need a way to turn off queries based on BLOCKED rules triggering

From: <bugzilla-daemon_at_nospam>
Date: Thu Dec 22 2011 - 10:32:43 GMT

--- Comment #13 from Matthias Leisi <> 2011-12-22 10:32:43 UTC ---
I did some additional tests on how best to block abusive query sources. "Best"
is defined as three goals:

1) Reduce the overall traffic on parent ( and data (
2) Avoid or minimize collateral damage on root and gTLD servers
3) Make it easy for operators of abusive query sources to find out what is

We have built the mechanism to redirect defined IPs to a special view of the zone as part of bug 6724 (using BIND views). I wanted to do actual
tests to base at least the decision on the first goal on hard facts. We tested
three combinations:

A. Explicit nameserver in "nowhere land"
| 21600 IN NS
| 21600 IN A

B. Explicit nameserver for data zone in .invalid
| 21600 IN NS _

C. No zone apex
(no NS records for

In all cases, we returned for * in this view. Also
in all cases, we return for the nameservers of the original data
zone (a through, which affected clients should not actually
ever have seen. Also, if an affected client would ask a through
they would always receive as an answer.

A. and B. showed no measurable difference in traffic levels on the parent and
the data zone.

With C., the traffic on the parent zone nameservers grew by about 30%; traffic
on the data zone did only shrink by about half the amount that was added on the
parent zone.

This rules out C. as a viable option and makes the choice depend only on goals
2 and 3 above: minimize collateral damage (on root servers) and maximize
identifiability for operators.

It can be expected that some resolvers will ask the roots for invalid., and it
can also be expected that not all resolvers will do proper negative caching for

This leaves A. as the most efficient option with the least collateral damage
(except for the timeouts on the affected DNS resolver / forwarder when trying
to reach

It should be remembered that this only applies to query sources who generate
excessive amounts of traffic over some period of time, and who do not react to
reasonable attempts at communication.

The first line of defense would be to return (or other BLOCKED
triggering value, to be defined) from the regular data zone nameservers, as
discussed in this bug.

-- Configure bugmail: ------- You are receiving this mail because: ------- You are the assignee for the bug.