Criminals, The Network, and You [Was: Something Else]

My mail servers return 5xx on NXDOMAIN. If my little shop can spend not
too much money for three-9s reliability in the DNS servers, other shops
can as well. When I first deployed the system, the overwhelming
majority of the rejects were from otherwise known spam locations
(looking at Spamhaus, Spamcop, and a couple of other well-known DNSBLs).
  The number of false positives were so small that whitelisting was easy
and simple to maintain.

If a shop is not multihomed, they can contract with one or more DNS
hosts to provide high-availability DNS, particularly for their zones.

It's not hard. Nor expensive.

Well, if by "3 9's" you mean "99.9%", and that's acceptable to you, then

Otherwise, your self-measured uptime of your DNS servers is not that
relevant, as the real question is what is the availability of your DNS
servers as measured from whoever might be doing a lookup on your domain
(or, more specifically, from whatever random mail server happens to be
doing a domain lookup of your domain).

I would be skeptical that it is easy for any organization to build a
nameserver system that can actually reach 99.999% availability from
random points on the Internet. Contracting to an outsourcer is no
guarantee, as we've seen large-scale DDoS attacks against some of
these. Outsourcers are actually riskier, since a DDoS against the
nameservers of any of their customers is essentially a DDoS against your
nameservers. Some combination of outsourced plus diverse self-managed
servers probably lands you there, but it is neither easy nor without
expense to make arrangements like this.

Given the level of clue required to get truly rock solid DNS, it may
be better to 4XX NXDOMAIN. Most spambots don't seem to retry on a 4XX
anyways, so to a spambot, the 4XX *is* a 5XX, but to a real mail client,
the 4XX is a 4XX, and that seems like it would be a more resilient

... JG