In <20030307094119(_dot_)GA2821(_at_)danisch(_dot_)de> Hadmut Danisch
<hadmut(_at_)danisch(_dot_)de> writes:
Imagine an attacker wants to block e-mail traffic from
A.com to B.com. All he needs to do is to send a fake message
with sender address A.com to B.com to cause B.com's DNS to
ask for A.com's RMX entry, and to send a fake answer with a
random address in the RMX entry and a long TTL. From now on,
B.com will reject messages from A.com.
It should be pointed out that DNSBLs, including domain specific
DNSBLs, use the *absence* of an A record as an indication that IP
address is ok. Negative DNS responses are generally not cached
anywhere near as log as positive results. I do not know if this was a
design decision on the part of DNSBLs, or just a result of it being
easier to create that way.
However, the results of using domain specific DNSBLs instead of RMX
records are:
1) An attacker must *prevent* a DNS response instead of creating a
bogus DNS response.
2) The results of a successful attack generally won't last as long.
3) In the (hopefully) typical case of valid email, there is a higher
load on blacklists, including DSDNSBLs. This doesn't seem to be a
huge problem for DNSBLs, but it is worth point out.
Anyway, I still don't know why people would prefer RMX records over
domain specific DNSBLs. DSDNSBLs, after all, can be trivially
implemented today, while RMX records require bind changes.
-wayne
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg