Wednesday, 1. September 2004
Debugging DNSBL connectivity
I have had a number of enquiries from readers to do with the apparent policy of some (so far as I can tell, exclusively American) ISPs to "null" DNS look-ups on popular DNSBLs. The questions are twofold. Is it true, and how can I work around it?
1) Yes. It is true. Some American ISPs do indeed effectively disable look-ups on popular DNSBL zones. This is done apparently to take load off their name servers which seems a little odd to me for a couple of reasons. First, DNS look-ups are not in themselves great users of resources (network or CPU). Second, if the name servers really are struggling under the load, this is probably a sign that the server hardware needs an upgrade. In other words, get a faster CPU and more memory. DNS queries are automatically cached, and most reputable DNSBL operators set a reasonable TTL (time to live) on their responses, so it is difficult to believe that all the additional name look-up overhead is really that troublesome. Further, this denial of service is somewhat one sided so users blighted by it would do well to consult their contracts to see whether their ISP is indeed entitled to disrupt their Internet connectivity in this way.
2) Workarounds do exist but none are easy. You cannot, for example, substitute an IP address for a DNSBL name and expect that to work. A DNSBL is a DNS zone, not a host with an IP address. While some DNSBLs may coincidentally have an A record for a host with the same name as the zone, this is not a substitute for the zone itself. It is more usually a web site telling people about the zone (e.g. bl.spamcop.net). And of course most DNSBLs do not have an A record for a host with the same name as the zone (point your browser at list.dsbl.org and see what you get).
Workaround one is simply this. Pick up the 'phone and protest strongly to your ISP about the impairment of your service. Some ISPs do apparently operate alternate name servers that they will allow customers wishing to resolve DNSBL queries to use. If you don't ask, you'll never know.
Workaround two is to set up your own name server locally and request zone transfers from the DNSBLs of your choice, effectively mirroring them locally. Not all DNSBLs will permit zone transfers but many will, particularly for larger sites handling high volumes of traffic.
Workaround three is simply to vote with your feet. If your ISP will not give the service you need and zone transfers aren't going to work for you, then move to an ISP that cares.
Told you it wasn't easy.
See also:
Setting up and testing DNSBLs in Domino 6.x
Category: Domino: Administration
Technorati: Domino: Administration
1) Yes. It is true. Some American ISPs do indeed effectively disable look-ups on popular DNSBL zones. This is done apparently to take load off their name servers which seems a little odd to me for a couple of reasons. First, DNS look-ups are not in themselves great users of resources (network or CPU). Second, if the name servers really are struggling under the load, this is probably a sign that the server hardware needs an upgrade. In other words, get a faster CPU and more memory. DNS queries are automatically cached, and most reputable DNSBL operators set a reasonable TTL (time to live) on their responses, so it is difficult to believe that all the additional name look-up overhead is really that troublesome. Further, this denial of service is somewhat one sided so users blighted by it would do well to consult their contracts to see whether their ISP is indeed entitled to disrupt their Internet connectivity in this way.
2) Workarounds do exist but none are easy. You cannot, for example, substitute an IP address for a DNSBL name and expect that to work. A DNSBL is a DNS zone, not a host with an IP address. While some DNSBLs may coincidentally have an A record for a host with the same name as the zone, this is not a substitute for the zone itself. It is more usually a web site telling people about the zone (e.g. bl.spamcop.net). And of course most DNSBLs do not have an A record for a host with the same name as the zone (point your browser at list.dsbl.org and see what you get).
Workaround one is simply this. Pick up the 'phone and protest strongly to your ISP about the impairment of your service. Some ISPs do apparently operate alternate name servers that they will allow customers wishing to resolve DNSBL queries to use. If you don't ask, you'll never know.
Workaround two is to set up your own name server locally and request zone transfers from the DNSBLs of your choice, effectively mirroring them locally. Not all DNSBLs will permit zone transfers but many will, particularly for larger sites handling high volumes of traffic.
Workaround three is simply to vote with your feet. If your ISP will not give the service you need and zone transfers aren't going to work for you, then move to an ISP that cares.
Told you it wasn't easy.
See also:
Setting up and testing DNSBLs in Domino 6.x
Category: Domino: Administration
Technorati: Domino: Administration
Comments :
None yet...
Unable to post a comment? Please read this for a possible explanation...
-