what happens when you put a typo in a DNSBL server?

Wes_Hardaker1 · January 16, 2007, 4:36pm

A number of ISPs use njabl.org as a DNS BL server. However, starting
jan 2 a new domain exists "njalb.org" which is serving A records for
anything queried against it's DNS server. (note the difference: njaBL
vs njaLB). Previous to this date a misconfigured ISP was just not
being protected by the BL. Now, it's potentially dropping all mail
from anyone because of the typo.

# dig +short mail.merit.edu a
198.108.1.11

# dig +short 11.1.108.198.combined.njabl.org

# dig +short 11.1.108.198.combined.njalb.org
64.20.43.107
66.45.232.66
66.45.232.75
66.45.237.187

I know of at least one ISP that is likely dropping mail from
everyone...

Alex_Harrowell · January 16, 2007, 4:49pm

Let's all hope they don't think of the possibilities *too* quickly.

John_L · January 16, 2007, 6:08pm

Previous to this date a misconfigured ISP was just not being
protected by the BL. Now, it's potentially dropping all mail from
anyone because of the typo.

If only. I am constantly amazed at the bozos who misconfigure their
DNSBL lookups and don't notice. Many people are just sure that
abuse.net is a blacklist, and no matter what I do (try looking up
2.0.0.127.abuse.net) they keep hammering on it. I also see lookups to
names with http// in them and just about any other idiotic mistake you
can imagine, again no set of responses seems to get their attention.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

Chris_L_Morrow · January 16, 2007, 6:32pm

right, these are those pesky njiix.net 'dns servers' that send the same 4
A's for any request. I suspect their zone config is:

* IN A 64.20.43.107
  IN A 66.45.232.66
  IN A 66.45.232.75
  IN A 66.45.237.187

in the root.zone file

Steve_Linford · January 16, 2007, 7:28pm

This is a common problem affecting Spamhaus and others as well; domain squatters register every variation of our domains and place wildcard DNS on them. We get quite a few complaints from users that we're blocking them and when investigated we find some postmaster has fat-fingered an entry in his spam filter and instead of "spamhaus.org" has entered a domain squatter's variation, such as one of these:

;; Query: 1.2.3.4.spamhuas.org ,type = ANY , class = ANY
^^
;; ANSWERS:
1.2.3.4.spamhuas.org 3600 IN A 64.20.49.210
1.2.3.4.spamhuas.org 3600 IN A 64.20.33.115
1.2.3.4.spamhuas.org 3600 IN A 64.20.33.131
1.2.3.4.spamhuas.org 3600 IN A 64.20.33.4

;; Query: 1.2.3.4.spamhauz.org ,type = ANY , class = ANY
^
;; ANSWERS:
1.2.3.4.spamhauz.org 3600 IN A 64.20.33.131
1.2.3.4.spamhauz.org 3600 IN A 64.20.49.210
1.2.3.4.spamhauz.org 3600 IN A 64.20.33.4
1.2.3.4.spamhauz.org 3600 IN A 64.20.33.115

   Steve Linford
   The Spamhaus Project
   http://www.spamhaus.org

Wes_Hardaker1 · January 16, 2007, 9:19pm

Previous to this date a misconfigured ISP was just not being
protected by the BL. Now, it's potentially dropping all mail from
anyone because of the typo.

If only. I am constantly amazed at the bozos who misconfigure their
DNSBL lookups and don't notice.

Part of the problem is that the protocol is designed to overlay an
existing protocol without providing a valid positive response. In
this case, lame ISP configures a typo and goes for ages without
noticing that it didn't help them at all because every query was
getting a NXDOMAIN back and they didn't check the traffic. Had this
been a real protocol you would have gotten back a 404 like message
instead! Shoe-horning DNS (or any protocol) into a solution works
well only if you don't make mistakes. And we know that never happens.

In the end, you don't get error messages when you misconfigure a
DNSBL. That's an architectural issue with how DNSBLs work in the
first place.

John_L · January 16, 2007, 10:27pm

> If only. I am constantly amazed at the bozos who misconfigure their
> DNSBL lookups and don't notice.

Part of the problem is that the protocol is designed to overlay an
existing protocol without providing a valid positive response. In
this case, lame ISP configures a typo and goes for ages without
noticing that it didn't help them at all because every query was
getting a NXDOMAIN back

Uh, not quite. Try looking up 2.0.0.127.abuse.net, and then explain to me why people keep hammering on it.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.

Steve_Atkins · January 17, 2007, 4:33pm

If you screw up your mail configuration, you'll lose email.

I'm more concerned about the deluge of DNS queries caused
by people who randomly punch strings into their mailfilters
and cause quite a lot of traffic to third party DNS servers.

When I see people doing that to my DNS servers, I add
a wildcard record in the hope that they'll notice. The worst case is
when they're hitting the (non-existent) blacklist just to get
a value to feed into something like spamassassin that will
proceed to deliver the mail anyway.

There are de-facto standards that will prevent all this
happening, but the writers of spam filters are (as far
as I know, without exception) too stupid or too lazy
to take advantage of this.

Cheers,
Steve

Steve_Sobol · January 20, 2007, 12:46am

*cough*

2.0.0.127.abuse.net has address 127.255.255.255

Very cute.

I think this is a PEBKAC** situation, not an architectural issue.

--Steve

** P)roblem E)xists B)etween K)eyboard A)nd C)hair, in this case the KAC
of the person who isn't checking that he's configured the right hostname
for the DNSBL.