Re: relays.ordb.org blacklisting all IPs (fwd)
Grant Taylor
> Why cant these deadshits just drop the DNS entries rather than piss
> off the rest of the world?
How else are said "deadshits" suppose to encourage people to remove
their stale DNS RBL configs?
It is perfectly logical that the "deadshits" would want to do something
so that they do not continue to be bombarded with DNS queries from
different deadshits that have not removed ORDB from their RBL config.
Grant. . . .
Greg Russell
> Just a heads up incase you dont already know...
...
Looks like you got suckered into the hoax email.
Grant Taylor
> I already stated what they could do in my original post which of course
> you selectively did not quote, it is afterall what 99% of all other
> defunct RBLs have done over the years.
On 3/25/2008 4:53 PM, Res wrote:
>> why cant these deadshits just drop the DNS entries
Ok, let's make sure that we understand each other. You are wanting the
deadshits to drop the DNS query traffic for their now defunct RBL, correct?
(Presuming yes.)
A simple TCPDump (tcpdump -xXnNi eth0 -s 0 host 87.51.32.6) while
querying (nslookup 127.0.0.2.relays.ordb.org 87.51.32.6) will shed some
light on the subject.
# tcpdump -xXnNi eth0 -s 0 host 87.51.32.6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:01:18.959078 IP aaa.bbb.ccc.ddd.45560 > 87.51.32.6.53: 11470+ A?
127.0.0.2.relays.ordb.org. (43)
0x0000: 0030 7be8 cc1c 00e0 4c3a 9dee 0800 4500 .0{.....L:....E.
0x0010: 0047 0000 4000 4011 8290 ce98 7244 5733 .G..@.@.....rDW3
0x0020: 2006 b1f8 0035 0033 b85a 2cce 0100 0001 .....5.3.Z,.....
0x0030: 0000 0000 0000 0331 3237 0130 0130 0132 .......127.0.0.2
0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org
0x0050: 0000 0100 01 .....
20:01:19.090749 IP 87.51.32.6.53 > aaa.bbb.ccc.ddd.45560: 11470*- 1/2/2
A 127.0.0.2 (160)
0x0000: 00e0 4c3a 9dee 0030 7be8 cc1c 0800 4500 ..L:...0{.....E.
0x0010: 00bc 7275 0000 3211 5da6 5733 2006 ce98 ..ru..2.].W3....
0x0020: 7244 0035 b1f8 00a8 2cdb 2cce 8500 0001 rD.5....,.,.....
0x0030: 0001 0002 0002 0331 3237 0130 0130 0132 .......127.0.0.2
0x0040: 0672 656c 6179 7304 6f72 6462 036f 7267 .relays.ordb.org
0x0050: 0000 0100 01c0 0c00 0100 0100 24ea 0000 ............$...
0x0060: 047f 0000 02c0 1d00 0200 0100 24ea 0000 ............$...
0x0070: 1005 6b6f 616c 6105 6472 6f73 6f02 646b ..koala.droso.dk
0x0080: 00c0 1d00 0200 0100 24ea 0000 1106 6175 ........$.....au
0x0090: 7468 3032 026e 7304 7465 6c65 c053 c047 th02.ns.tele.S.G
0x00a0: 0001 0001 0000 5460 0004 5733 2006 c047 ......T`..W3...G
0x00b0: 001c 0001 0000 5460 0010 2001 06c8 0006 ......T`........
0x00c0: 000c 020d 56ff fe6f f935 ....V..o.5
So based on this I'm going to say that the DNS query is 85 bytes. I'm
also going to say that the DNS reply is 202 bytes. (I'm not taking in
to account that we will be sending things in 64 byte segments on
Ethernet so these numbers will possibly even be low.)
D. Stussy
news:Pine.LNX.4.64.08...@ebfjryy.nhfvpf.arg...
> Just a heads up incase you dont already know...
>
> why cant these deadshits just drop the DNS entries rather than piss off
...
Considering that the DNSBL closed in December 2006 and that someone is still
using them, exactly what else do you expect them to do? The only people
they're "pissing off" are those who after 15 months didn't have the sense to
remove the checks against that DNSBL. Seems to me as if you're among the
clueless ones.
Grant Taylor
On 3/25/2008 8:11 PM, Taylor, Grant wrote:
> So based on this I'm going to say that the DNS query is 85 bytes.
> I'm also going to say that the DNS reply is 202 bytes. (I'm not
> taking in to account that we will be sending things in 64 byte
> segments on Ethernet so these numbers will possibly even be low.)
According to ISO, there are 246 country codes.
For the sake of this discussion, let's say that each country code will
send one query per second. That means that there will be 167+ kbps of
inbound DNS (query) traffic until everyone decides to update their RBL
list. That translates to 1.8+ GB of traffic a day or 54.1+ GB of
traffic a month of inbound DNS queries per day for a service that is now
defunct. It is very likely that this traffic will very slowly taper off
over a very long time.
Let's consider the reply traffic. The reply traffic will be 397+ kbps
of outbound DNS (reply) traffic. This translates to 4.2+ GB of traffic
a day or 128.8+ GB of traffic a month of outbound DNS replies per day
for a service that is now defunct.
So if we combine the inbound queries and outbound replies, ORDB will
have 564+ kbps of DNS traffic. This translates to 6.1+ GB of traffic a
day or 183+ GB of traffic a month of DNS traffic for a service that is
now defunct.
So, would you rather drop 54.1 GB of traffic a month for the next how
ever many months (open ended until everyone removes relays.ordb.org from
their config) or would you rather have 183 GB of traffic for one month.
I will even go so far as to say that you will not even have a full 183
GB of traffic because you have done something to ensure that people will
react to what you did with in a matter of days.
You play with the numbers and and see what you would want to do long
term if you were facing this amount of traffic. Just imagine what it
would be like if the rate of queries was higher than one per country
code per second...
Grant. . . .
Bill Cole
Res <r...@ausics.net> wrote:
> I already stated what they could do in my original post which of course
> you selectively did not quote, it is afterall what 99% of all other
> defunct RBLs have done over the years.
And both your recommendation and your claim about 99% of other defunct
"RBL's" (RBL is not a generic term used by anyone with half a clue)
demonstrate that you don't know what you're talking about. To not be
simply a liar, you'd have to identify at least 400 defunct DNSBL's...
There's a big problem with shutting down a high-volume DNS zone, in that
the queries keep coming. Imbeciles (like anyone still querying ORDB)
keep pounding away and if the zone wasn't planned out for termination
from the start, there's a good chance that there are no good options for
harmless shutdown.
http://www.ietf.org/internet-drafts/draft-irtf-asrg-bcp-blacklists-01.txt
discusses this, as did the prior version. The issues have been
discussed at length on the ASRG list and in other spam-focused fora and
people who have tried to do the right things (which DO NOT include
pushing the problem upstream to the gTLD roots) have not reported
promising results from doing so.
ORDB was very public about their shutdown. Anyone running a mail server
still using them now deserves a long closed-door meeting with The Boss
and HR and a big guy from Security with a large cardboard box. Letting a
mail server sit that way for 15 months doing pointless DNS queries on
every message is a demonstration of incompetence.
(and no, I do not have much sympathy for anyone who set up a mail
filtering system thinking it didn't need regular adjustment. Some
flavors of ignorance require concrete lessons to overcome. )
--
Now where did I hide that website...
Grant Taylor
Does any one know if ORDB changed the IP address of the name servers for the "relays.ordb.org" query (sub)domail to Test-Net IPs like suggested prior to using "colateral damage" as they are now doing?
Further, does any one know if ORDB changed what queries resolved to prior to changing the name servers to Test-Net IPs?
If ORDB did follow the BCP guidelines and then switched to collateral damage I personally don't fault them for trying to get people to clean up their config(s).
Grant. . . .
Grant Taylor
> If ORDB did follow the BCP guidelines and then switched to collateral
> damage I personally don't fault them for trying to get people to
> clean up their config(s).
One thing that ORDB has not done is to put a web page in place
(re)stating that the DNSBL is shut down and that they are changing their
practices, which I think they should have done. I can understand
shutting down the website for the past 6 - 9 months. However I (my
opinion) think they should have at least put something simple up
indicating their new policy change.
Grant. . . .
D. Stussy
news:mailman.23.1206541695.1...@maillists.riverviewtech.net...
I found that their policy statement of "going out of business" in December
2006 was sufficient. 15 months was more than enough time.
aobe...@gmail.com
> "Grant Taylor" <gtay...@riverviewtech.net> wrote in message
I work as a contract tech. So alot of the companies I deal with do
not have there own IT person that can sit on their @ss all day and
read tech forums about the latest thing to happen in the tech world.
Some of us are out there doing real work and can not follow every
company that we have under our, belts stupid entries in some firewall
smtp proxy. This shit took a real business down for a couple hours
before I could figure out exactly what was happening. Just drop the
DNS entry for relays.ordb.org or point it to some benign IP that no
one gives a flying F&*%&* about. Remember not everyone has the time
to keep up with this stuff. Or to know all the settings in every
firewall and
every server that we are responsible for. In my opinion and its just
that
anyone working in an environment with less than 100 computers and 10
servers is not really working.
D. Stussy
news:6cbe5df5-a582-42e1...@m44g2000hsc.googlegroups.com...
On Mar 27, 5:43 pm, "D. Stussy" <s...@bde-arc.ampr.org> wrote:
> "Grant Taylor" <gtay...@riverviewtech.net> wrote in message
>
news:mailman.23.1206541695.1...@maillists.riverviewtech.net...
> > On 03/26/08 02:09, Grant Taylor wrote:
> > > If ORDB did follow the BCP guidelines and then switched to collateral
> > > damage I personally don't fault them for trying to get people to
> > > clean up their config(s).
>
> > One thing that ORDB has not done is to put a web page in place
> > (re)stating that the DNSBL is shut down and that they are changing their
> > practices, which I think they should have done. I can understand
> > shutting down the website for the past 6 - 9 months. However I (my
> > opinion) think they should have at least put something simple up
> > indicating their new policy change.
>
> I found that their policy statement of "going out of business" in December
> 2006 was sufficient. 15 months was more than enough time.
=I work as a contract tech. So alot of the companies I deal with do
=not have there own IT person that can sit on their @ss all day and
=read tech forums about the latest thing to happen in the tech world.
=Some of us are out there doing real work and can not follow every
=company that we have under our, belts stupid entries in some firewall
=smtp proxy. This shit took a real business down for a couple hours
=before I could figure out exactly what was happening. Just drop the
=DNS entry for relays.ordb.org or point it to some benign IP that no
=one gives a flying F&*%&* about. Remember not everyone has the time
=to keep up with this stuff. Or to know all the settings in every firewall
and
=every server that we are responsible for. In my opinion and its just that
=anyone working in an environment with less than 100 computers and 10
=servers is not really working.
Well, excuse me. I haven't worked in the IT industry for over a decade (but
in the tax industry), and I still knew. Now, I found out a week after it
went down (still in December 2006) - because I bother to occasionally check
with services that I use to make certain they're still running. Did I wait
for someone else to report on it? No.
As a professional that is employed in IT, I don't see what you're saying as
a valid excuse. Every profession has things happening in it, and every
professional is expected to keep up. It seems to me that this change is
within the scope of your responsibilities as it did affect at least one of
your clients. If that's too much for you, perhaps a career change is in
order....
As for them simply dropping the DNS entry, etc., that's exactly what they've
been doing for the past 15 months, but they noticed that some people were
still trying to use the service. All of us COMPETENT people took care of
the problem at the end of 2006 or during 2007.
aobe...@gmail.com
> <aober...@gmail.com> wrote in message
>
> news:6cbe5df5-a582-42e1...@m44g2000hsc.googlegroups.com...
> On Mar 27, 5:43 pm, "D. Stussy" <s...@bde-arc.ampr.org> wrote:> "Grant Taylor" <gtay...@riverviewtech.net> wrote in message
>
> news:mailman.23.1206541695.1...@maillists.riverviewtech.net...
>
> > > On 03/26/08 02:09, Grant Taylor wrote:
> > > > If ORDB did follow the BCP guidelines and then switched to collateral
> > > > damage I personally don't fault them for trying to get people to
> > > > clean up their config(s).
>
> > > One thing that ORDB has not done is to put a web page in place
> > > (re)stating that the DNSBL is shut down and that they are changing their
> > > practices, which I think they should have done. I can understand
> > > shutting down the website for the past 6 - 9 months. However I (my
> > > opinion) think they should have at least put something simple up
> > > indicating their new policy change.
>
> > I found that their policy statement of "going out of business" in December
> > 2006 was sufficient. 15 months was more than enough time.
>
> =I work as a contract tech. So alot of the companies I deal with do
> =not have there own IT person that can sit on their @ss all day and
> =read tech forums about the latest thing to happen in the tech world.
> =Some of us are out there doing real work and can not follow every
> =company that we have under our, belts stupid entries in some firewall
> =smtp proxy. This shit took a real business down for a couple hours
> =before I could figure out exactly what was happening. Just drop the
> =one gives a flying F&*%&* about. Remember not everyone has the time
> =to keep up with this stuff. Or to know all the settings in every firewall
> and
> =every server that we are responsible for. In my opinion and its just that
> =anyone working in an environment with less than 100 computers and 10
> =servers is not really working.
>
> Well, excuse me. I haven't worked in the IT industry for over a decade (but
> in the tax industry), and I still knew. Now, I found out a week after it
> went down (still in December 2006) - because I bother to occasionally check
> with services that I use to make certain they're still running. Did I wait
> for someone else to report on it? No.
>
> As a professional that is employed in IT, I don't see what you're saying as
> a valid excuse. Every profession has things happening in it, and every
> professional is expected to keep up. It seems to me that this change is
> within the scope of your responsibilities as it did affect at least one of
> your clients. If that's too much for you, perhaps a career change is in
> order....
>
> As for them simply dropping the DNS entry, etc., that's exactly what they've
> been doing for the past 15 months, but they noticed that some people were
> still trying to use the service. All of us COMPETENT people took care of
> the problem at the end of 2006 or during 2007.
Sorry if I offended you. I had a bad day. It was a new client that I
didn't even know used blacklist databases on their firewall. As far
as the competent part goes I never recieve any complaints from my
clients, which is around 75 different companies,about the service that
they recieve and in the IT world that speaks for itself.
Have a good day and again I apologize.
D. Stussy
>
> > Sorry if I offended you. I had a bad day. It was a new client that I
>
That's exactly why I made nor offered any apology for any statement I made.
As for you, asshole, you don't even deserve the respect of consideration of
an apology, and that starts with failing to capitalize my name.
Hugo Villeneuve
>
> As for them simply dropping the DNS entry, etc., that's exactly what they've
> been doing for the past 15 months, but they noticed that some people were
> still trying to use the service.
Were they droping the requests at their name server or had they removed
all NS and glue A record from their domain registration before?
The resource lost for the later option wouldn't be their problem at all.
Especially when you don't do anything with the domain.
D. Stussy
news:1iejei1.6ehoqj1b8g6bqN%hu...@EINTR.net...
I'd have to say that they didn't remove their DNS entries from their
registration.
Domain ID:D72422737-LROR
Domain Name:ORDB.ORG
Created On:11-Jun-2001 12:35:51 UTC
Last Updated On:12-Jan-2007 10:52:44 UTC
Expiration Date:11-Jun-2016 12:35:51 UTC
...
Name Server:AUTH02.NS.TELE.DK
Name Server:KOALA.DROSO.DK
Name Server:NS1.ORDB.MOENSTED.DK
Name Server:NS2.ORDB.MOENSTED.DK
Grant Taylor
> The best way would be in all your DNS's put
>
> zone "ordb.org" {
> type master;
> file "empty";
> notify no;
> };
>
> if they dont want dns hits, they wont get any :)
What about the traffic coming to their server looking for the ordb.org
zone? That would still continue for years to come.
If all you do is drop the traffic as early as possible, you are still
dropping traffic that is still coming to you. Where as if you do
something to cause people to want to not query you, the traffic will
drop off sharply in short order.
Grant. . . .
Clemens Zauner
> huh? that entry you would put in your DNS's, as in an ISP/Telco DNS's,
> couldnt care less about theirs, if they dont have the bandwith thats
> their problem, they knew the risks involved before starting up.
Oh. Great. Because one's to f***ing stupid to maintain one's mailserver
he's going to tinker with other peoples zones in his DNS setup. Yeah,
thats the way to go. As it shows the same clue-level regarding email
and DNS.
l33t solution. Go and post this to every phpBB.
Clemens.
--
/"\ http://czauner.onlineloop.com/
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \ AND POSTINGS
Grant Taylor
> I guess some people just don't have a clue about the contracting
> world. There are many companies out there that only call when they
> have a problem or just have a contract computer company come in for a
> couple hours every now in then to check stuff out. Just because these
> companies don't have a full time IT person or a budget that allows
> them to, doesn't mean they deserve to have their company's e-mail
> taken down because people decide to be idiots. Really, honestly, is
> it to much to ask have them make some changes to their DNS. They took
> on the responsibility of hosting this service they should respect that
> responsibility and do the right thing. Imagine how much money was
> spent on troubleshooting this problem around the nation. I know that
> Astaro had to release a patch for it.
Question(s):
- How do you get people that are querying a dead system to stop
querying it?
- How many months / years should someone pay for a service bandwidth
for a service that has been dead for 14+ months? 2 years? Longer?
- How long are you willing to pay to host 50 GB of traffic a month for
a service that is dead?
- What would you do that is different than what ORDB has done?
> For all you negative nancys, oh how nice it would be to sit back and
> throw jabs and act like you know what the hell you are talking about
> on a little forum. I can pretty much guarantee you that I solve more
> problems in 1 week then most of you will solve in a year. Thats the
> one thing I hate about this field is all the arrogant a-holes that act
> like they know everything. I hate to tell you this but if you think
> you everything about computers and networks you don't have a clue.
Rather than throwing jabs your self, how about throwing down some
information for discussion? Please answer the above questions. Please
persuade me ("show me the light" if you will) why and / or how what ORDB
did was wrong and explain what you would have done different. Will your
solution hold up now, 1 month from now, 1 year from now, 5 years from
now? Would you still be willing to pay for the resources for your
defunct service 5 or 10 years from now?
Grant. . . .
Grant Taylor
> This is exactly the point, the entire domain is moot, removing the
> name servers from zone, setting thme to 127.0.0.1, dropping the zone
> sicne they dont want it, it has no use these days. It has no A
> records, www has no A records, it has no MX record, but yet they
> still have records to block everyone querrying *.relays.ordb.org
> petty absolutely fucking petty.
For the sake of the on going discussion please clarify what you want
ORDB to do and where you would like them to do it.
Are you wanting ORDB to:
- Remove NS records for the relays.ordb.org sub-domain from the
ordb.org zone?
- Set the A record referenced in the glue records for the
relays.ordb.org sub-domain to 127.0.0.1?
- Remove all references to the relays.ordb.org sub-domain?
- Remove all ORDB zones?
- Set glue records with Tucows to 127.0.0.1?
- Remove the glue records with Tucows if possible?
> since your in the business of calling others, I'll call you, show me
> the evidence they ar ehit with 50G a month
Fair enough. I will first say that I do not have any ""evidence per say
(logs, reports, etc from ORDB), but I can run (what I believe to be)
extremely conservative numbers to come up with the amount of traffic
that their DNS servers would see.
Please reference my 2nd & 3rd message in the Google archive
http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/8a634fe99fe90ab5#
From my second message you can see how I derived the size of queries
and replies. Below are the formulas that I used to run the numbers.
I found that there were (approximately) 246 country codes. I'm going to
presume that ORDB is receiving at least one query per second per country
code. I feel confident that this is a very safe number to use.
Per my other posts, I found that a query is 85 bytes and a reply is 202
bytes, making a query and reply 287 bytes.
If we take the 85 (bytes per query) * 246 (country codes) is 20910 bytes
per second or 20.9 kB per second of DNS query traffic.
If we take the 85 (bytes per query) * 246 (country codes) * 60 (second
per minute) * 60 (minutes per hour) * 24 (hours per day) is 1806624000
bytes per day or 1806624 kB per day or 1806.6 MB per day or 1.8 GB per
day of DNS query traffic.
If we take the 85 (bytes per query) * 246 (country codes) * 60 (second
per minute) * 60 (minutes per hour) * 24 (hours per day) * 30 (days per
month) is 54198720000 bytes per month or 54198720 kB per month or
54198.7 MB per month or 54.1 GB per month of DNS query traffic.
If we use the same equations with the size of the reply and the size of
the query and reply combined we get the following numbers:
DNS reply traffic
202 * 246 = 49692 B or 49.69 kB per second
202 * 246 * 60 * 60 * 24 = 4293388800 B or 4293388.8 kB or 4293.3 MB or
4.2 GB per day
202 * 246 * 60 * 60 * 24 * 30 = 128801664000 B or 128801664 kB or
128801.6 MB or 128.8 GB per month
Combined DNS query and reply traffic
287 * 246 = 70602 B or 70.6 kB per second
287 * 246 * 60 * 60 * 24 = 6100012800 B or 6100012.8 kB or 6100 MB or
6.1 GB per day
287 * 246 * 60 * 60 * 24 * 30 = 183000384000 B or 183000384 kB or
183000.3 MB or 183 GB per month
I think it is fairly obvious that this is a LOT of traffic that has to
be absorbed by someone's DNS servers. What is worse is that this amount
of traffic is very unlikely to taper off very fast at all if nothing is
done to encourage people to stop querying the servers. Hence why I
believe ORDB decided to switch to collateral damage after being closed
for 14+ months all the wile handling 183 GB (or more) traffic for a
defunct service.
With these numbers in mind, let's see how what I believe you are wanting
ORDB to do stacks up.
- Remove NS records for the relays.ordb.org sub-domain from the
ordb.org zone?
Systems will still be querying the ordb.org zone for the sub-domain,
thus the traffic numbers still apply. Adjust the size of queries and
replies for the sizes of packets if need be. However this number will
still be very large.
- Set the A record referenced in the glue records for the
relays.ordb.org sub-domain to 127.0.0.1?
(same as above)
- Remove all references to the relays.ordb.org sub-domain?
(same as above)
- Remove all ORDB zones?
Systems will still query the ORDB zone name servers looking for
records. Still very similar to above.
- Set glue records with Tucows to 127.0.0.1?
Root name servers will still receive traffic looking for the name
servers for the ORDB zone.
- Remove the glue records with Tucows if possible?
Root name servers will still be queried.
What is worse with doing the above is that most of the systems that are
still querying ORDB after being closed for 14+ months will continue to
do so for quite a while to come. What incentive do all the companies
like aoberlin is referring to have to bring someone in to correct the
problem if at worst they have a DNS timeout per message passing through
their system? How long do you think it will be before someone does
remove ORDB from the config? I'm betting that ORDB will stay in the
config until the system is replaced with something new, so most likely
sometime with in the next 5 years (give or take). What if someone
copies the old config to the next system? How many new systems down the
road will be able to use the old config file or .mc file? Let's say 3
generations with a 5 year life cycle. Now we are up to 11 years if we
say the replacement cycle is every 3 years and we take off the 14 months
that have passed. All this time will add up to a *LOT* of wasted
bandwidth and $$$ because people do not update their config.
This is why I think it perfectly reasonable for ORDB to result to some
action that will ensure that people will want to update their config.
ORDB has been defunct for 14+ months. Any one that was going to update
their config on their own accord has done so already. I'm willing to
bet that a very large majority of systems that were querying ORDB a week
ago are no longer querying ORDB. Let's just say that the number is cut
bu 10%. Here is a simple list of the number of queries per second for
each week for the next 6 months:
Week Query / Sec
1 246
2 221.4
3 199.2
4 179.2
5 161.2
6 145
7 130.5
8 117.4
9 105.6
10 95
11 85.5
12 76.9
13 69.2
14 62.2
15 55.9
16 50.3
17 45.2
18 40.6
19 36.5
20 32.8
21 29.5
22 26.5
23 23.8
24 21.4
If I run the numbers out with a 10% drop per week, all queries should be
stopped by the 60 weeks. For the curious, if the number of queries per
week is cut in half, with in 13 weeks all queries should be stopped.
Cut in to a quarter and you are down to 7 weeks.
Compare the operational costs of doing this verses answering queries for
the coming years.
Grant. . . .
D. Stussy
news:2582e793-3ebf-41cc...@e39g2000hsf.googlegroups.com...
For all you negative nancys, oh how nice it would be to sit back and
throw jabs and act like you know what the hell you are talking about
on a little forum. I can pretty much guarantee you that I solve more
problems in 1 week then most of you will solve in a year. Thats the
one thing I hate about this field is all the arrogant a-holes that act
like they know everything. I hate to tell you this but if you think
you everything about computers and networks you don't have a clue.
Maybe that's because some of us learn about such things and make changes
BEFORE any problems arise.
I don't claim to know "everything" but I do keep up with services I actually
use.
aobe...@gmail.com
> On 4/1/2008 11:30 PM, Res wrote:
>
> > This is exactly the point, the entire domain is moot, removing the
> > name servers from zone, setting thme to 127.0.0.1, dropping the zone
> > sicne they dont want it, it has no use these days. It has no A
> > records, www has no A records, it has no MX record, but yet they
> > still have records to block everyone querrying *.relays.ordb.org
> > petty absolutely fucking petty.
>
> For the sake of the on going discussion please clarify what you want
> ORDB to do and where you would like them to do it.
>
> Are you wanting ORDB to:
> ordb.org zone?
> - Set the A record referenced in the glue records for therelays.ordb.orgsub-domain to 127.0.0.1?
> - Remove all references to therelays.ordb.orgsub-domain?
> - Remove all ORDB zones?
> - Set glue records with Tucows to 127.0.0.1?
> - Remove the glue records with Tucows if possible?
>
> > since your in the business of calling others, I'll call you, show me
> > the evidence they ar ehit with 50G a month
>
> Fair enough. I will first say that I do not have any ""evidence per say
> (logs, reports, etc from ORDB), but I can run (what I believe to be)
> extremely conservative numbers to come up with the amount of traffic
> that their DNS servers would see.
>
> ordb.org zone?
>
> Systems will still be querying the ordb.org zone for the sub-domain,
> thus the traffic numbers still apply. Adjust the size of queries and
> replies for the sizes of packets if need be. However this number will
> still be very large.
>
Impressive.
aobe...@gmail.com
>
> > This is exactly the point, the entire domain is moot, removing the
> > name servers from zone, setting thme to 127.0.0.1, dropping the zone
> > sicne they dont want it, it has no use these days. It has no A
> > records, www has no A records, it has no MX record, but yet they
> > still have records to block everyone querrying *.relays.ordb.org
> > petty absolutely fucking petty.
>
> For the sake of the on going discussion please clarify what you want
> ORDB to do and where you would like them to do it.
>
> Are you wanting ORDB to:
> ordb.org zone?
> - Set the A record referenced in the glue records for therelays.ordb.orgsub-domain to 127.0.0.1?
> - Remove all references to therelays.ordb.orgsub-domain?
> - Remove all ORDB zones?
> - Set glue records with Tucows to 127.0.0.1?
> - Remove the glue records with Tucows if possible?
>
> > since your in the business of calling others, I'll call you, show me
> > the evidence they ar ehit with 50G a month
>
> Fair enough. I will first say that I do not have any ""evidence per say
> (logs, reports, etc from ORDB), but I can run (what I believe to be)
> extremely conservative numbers to come up with the amount of traffic
> that their DNS servers would see.
>
> ordb.org zone?
>
> Systems will still be querying the ordb.org zone for the sub-domain,
> thus the traffic numbers still apply. Adjust the size of queries and
> replies for the sizes of packets if need be. However this number will
> still be very large.
>
Grant I like your style. I would say drop the whole domain. Since
they gambled and lost the the whole ordb zone should should no longer
exist. Yes there would still be queries but there a millions of
queries a day for zones that do not exist. Not a big deal. It would
be like saying we need to take every satellite out of space that are
no longer in service, because some day we will run out of room.
But with that said you make a valid argument and back it up with some
cool stats. And I would have to say I am less pissed about the
situation.
See this is the kind of reasoning I can understand. Not the "your
idiot for not reading about this 2 years ago."
Grant Taylor
On 4/2/2008 4:16 PM, aobe...@gmail.com wrote:
> Grant I like your style. I would say drop the whole domain. Since
> they gambled and lost the the whole ordb zone should should no longer
> exist. Yes there would still be queries but there a millions of
> queries a day for zones that do not exist. Not a big deal. It would
> be like saying we need to take every satellite out of space that are
> no longer in service, because some day we will run out of room.
I'm curious, how do you think ORDB gambled and lost? The way I see it,
the spam industry has changed and ORDB was simply outdated. I don't
think it was a contest to see which anti spam method was better. (Sure
there are purportedly friendly rivalries to be the best, but we are all
working for the same goal.) Granted the battles between the spam
fighters and spammers can get a little heated.
The idea of dropping the domain seems a bit problematic to me. To start
with, I'm not sure if it is even possible to cancel a domain (with or
with out requesting a refund). I think you have to let it expire.
Seeing as how the ordb.org domain is registered through June 11th, 2016,
it will be a while before it expires. Then there is also the fact that
there is a chance that people will still be querying it at that point in
time. So what happens to the pore sap that registers the recycled
domain after that time? They will be inundated with the remaining queries.
With regards to the satellites in space, we are already running in to a
layer of junk. (Maybe we can get it to stop some of the UV rays for us
seeing as how the ozone is being depleted by man and planet.) Likewise
the load on the root DNS servers is growing every day. Perhaps
something should be done to clean up these abandoned domains too.
However that is beyond the scope of this tread.
> But with that said you make a valid argument and back it up with some
> cool stats. And I would have to say I am less pissed about the
> situation.
Thank you. I tried to be logical and engage others in a conversation.
I'm glad that Res called me on my numbers the way he did. He was polite
and asked for some foundation to my claims. I really do like it when we
can have discussions with people laying facts down for both sides and
hopefully both sides being somewhat enlightened.
With that said, I dare to ask this question. Understanding what I have
put forth, should ORDB have waited longer before switching to the
collateral damage mode, or should they have done it sooner?
> See this is the kind of reasoning I can understand. Not the "your
> idiot for not reading about this 2 years ago."
*nod* I could not agree more. I think all of us (at least us humans)
try to be professional in our jobs and / or hobbies, but occasionally we
all slip a bit. ;)
Grant. . . .
David F. Skoll
> The idea of dropping the domain seems a bit problematic to me. To start
> with, I'm not sure if it is even possible to cancel a domain (with or
> with out requesting a refund).
You can relinquish a domain if you really want. Or you can just park
it and point the nameserver information in the WHOIS records at
$SOME_BIG_DOMAIN_PARKER.
> So what happens to the pore sap that registers the recycled
> domain after that time? They will be inundated with the remaining
> queries.
That is indeed a problem (or maybe an opportunity? :-))
Regards,
David.
Grant Taylor
I wonder if you could use test net IPs for the name servers. I don't think ther are routable out side of test environments.
>That is indeed a problem (or maybe an opportunity? :-))
Oh, you are just mean. ;)
Grant. . . .
D. Stussy
> >You can relinquish a domain if you really want. Or you can just park it
and point the nameserver information in the WHOIS records at
$SOME_BIG_DOMAIN_PARKER.
>
> I wonder if you could use test net IPs for the name servers. I don't
think ther are routable out side of test environments.
Depends on the domain's registrar. Some if not all registrars actually
check to see if the IP address is valid and responds. I'm willing to bet
that part of that check is against the addresses in RFC 1918 and subsequent
similar reserved IP spaces.
Grant Taylor
> To this, or a blackhole IP so it creates timeouts trying to connect
Please clarify "blackhole IP".
> That wont matter because they will still as you rightfully pointed out
> get 'hit'
*nod*
> This would be a second best guess, and maybe the best, they clearly are
> not using the domain at all, they have no sub domains and have no mx, so
> its really a 'dead' domain.
This would tie the domain up and prevent re-registration while making it
impossible to query the zone.
> This really is very little for DNS.
Agreed. I was just trying to show an example using some numbers that I
thought we could all agree on and look at the resulting amount of
traffic with out disagreeing on the basis for the math.
> I do note, upon a check tonight, that (within the past week at least)
> they have changed their msg...
>
> "1.2.3.4.relays.ordb.org descriptive text "ordb.org was shut down on
> December 18, 2006. Please remove from your mailserver."
>
> This is far more informative then the crap they gave a week ago that
> bascially only said POQ.
Agreed.
However, I'm seeing different results when I do the same test.
> nslookup 206.152.114.68.relays.ordb.org
Server: 206.152.114.66
Address: 206.152.114.66#53
Non-authoritative answer:
Name: 206.152.114.68.relays.ordb.org
Address: 127.0.0.2
> nslookup -query=ns ordb.org
Server: 206.152.114.66
Address: 206.152.114.66#53
Non-authoritative answer:
ordb.org nameserver = koala.droso.dk.
ordb.org nameserver = auth02.ns.tele.dk.
Authoritative answers can be found from:
koala.droso.dk internet address = 87.51.32.6
auth02.ns.tele.dk internet address = 194.192.207.166
> nslookup 1.2.3.4.relays.ordb.org koala.droso.dk
Server: koala.droso.dk
Address: 87.51.32.6#53
Name: 1.2.3.4.relays.ordb.org
Address: 127.0.0.2
> nslookup 1.2.3.4.relays.ordb.org auth02.ns.tele.dk
Server: auth02.ns.tele.dk
Address: 194.192.207.166#53
** server can't find 1.2.3.4.relays.ordb.org: SERVFAIL
As you can see, koala is still reporting the 127.0.0.2 address.
> A typical ISP's name server would see this easily, each of ours do anyway.
Agreed. (See above about the amount of traffic.)
> As they do for trillions of other rubbishy domains, thats why they are
> localised with BGP to distribute the loads.
*nod*
> Again, this is the risk they take when operating such a service, it is
> also why most use BGP to geographically locate servers, if ordb ran only
> their servers in one location they have no one else to blame but
> themselves, running an RBL is just like running an IRC server, you must
> expect the shit to hit the fan more than once :)
Ok...
Grant. . . .
Bill Cole
"David F. Skoll" <d...@roaringpenguin.com> wrote:
> Grant Taylor wrote:
>
> > The idea of dropping the domain seems a bit problematic to me. To start
> > with, I'm not sure if it is even possible to cancel a domain (with or
> > with out requesting a refund).
>
> You can relinquish a domain if you really want. Or you can just park
> it and point the nameserver information in the WHOIS records at
> $SOME_BIG_DOMAIN_PARKER.
They may get grumpy about that. Popular DNSBL's generate shocking DNS
query volumes. If the zone it empty and isn't set up to make negative
caching work, every query ends up hitting the authority. As I understand
it, when ORDB initially shut down, the configuration of the .org
authority's SOA for org resulted in them getting almost a billion
queries/day, because no resolver could cache the NXDOMAIN response they
sent.
> > So what happens to the pore sap that registers the recycled
> > domain after that time? They will be inundated with the remaining
> > queries.
>
> That is indeed a problem (or maybe an opportunity? :-))
This issue has actually been considered and discussed at great length in
many places for many years, and section 3.4 of the current BCP draft on
DNSBL management at
http://www.ietf.org/internet-drafts/draft-irtf-asrg-bcp-blacklists-02.txt
describes the best way to deal with the retirement of a heavy-use
domain.
--
Now where did I hide that website...
Grant Taylor
> 169.254.0.1 is typcially used
*nod*
I take it that blackholed means any IP address that should not be routed
across the internet?
> Yes it would, so maybe suggestion "A" is in fact more appropriate
Probably.
> maybe 'tele' dumped it :)
*nod*
> Guess we'll have to agree to disagree on how this should have been handled?
Works for me.
Grant. . . .