DNSBL Configuration - How not to get trapped in query timeouts

This section contains user-submitted tutorials.
Post Reply
estradis
Normal user
Normal user
Posts: 156
Joined: 2014-09-09 10:47

DNSBL Configuration - How not to get trapped in query timeouts

Post by estradis » 2019-06-18 15:36

We have been using our own DNS-Servers very successfully for a long time to learn IP reputation. In the meantime, the list of entries has grown very large and DNS has become more and more conspicuous by its sometimes extremely high resource load.

Our DNSBL is configured as a wildcard zone. Unregistered entries should be returned as IP address 0.0.0.0 in order to deliver fast results and avoid query timeouts. For this purpose the zone ip.dnsbl is globally configured as follows:

Code: Select all

@ A 0.0.0.0
* CNAME ip.dnsbl.
*.* CNAME ip.dnsbl.
*.*.* CNAME ip.dnsbl.
*.*.*.* CNAME ip.dnsbl.
Every requested address should now be returned as 0.0.0.0 (= not registered), but still query timeouts occur. How can this be?

The problem should become clear with the example of the IP address 1.2.3.4. For this example the address is assumed to be a dynamic client. The DNS server should return the address 127.0.0.4 for dynamic clients.

The IP address is turned over in a first step and then registered as DNS-A entry:

Code: Select all

4.3.2.1 A 127.0.0.4
The query with nslookup 4.3.2.1.ip.dnsbl now returns 127.0.0.4. All others should still be 0.0.0.0 - or not?

In fact, the query => answer scheme is as follows

Code: Select all

0.0.0.0 - 0.255.255.255 => 0.0.0.0
1.0.0.0 - 1.2.3.3 => NXDOMAIN
1.2.3.4 => 127.0.0.4
1.2.3.5 - 1.255.255.255 => NXDOMAIN
2.0.0.0 - 255.255.255.255 => 0.0.0.0
The reason for this behavior is that with the subdomain "1" the global wildcard rules have been overridden. They must be newly created for the subdomain, including its subdomains. For the above example, the DNS entries must therefore be supplemented as follows:

Code: Select all

1 CNAME ip.dnsbl.
*.1 CNAME ip.dnsbl.
*.*.1 CNAME ip.dnsbl.
*.*.*.1 CNAME ip.dnsbl.
*.2.1 CNAME ip.dnsbl.
*.3.2.1 CNAME ip.dnsbl.
The entries that could not be resolved before are now also resolved with 0.0.0.0.

I hope this helps others not to to get trapped as we were.

Post Reply