[dns-operations] When TLDs have apex A records

Doug Barton dougb at dougbarton.us
Mon Jul 20 17:02:23 UTC 2009


Calvin Browne wrote:
> As someone who helps to look after a (relatively) popular 2nd level with
> an A record at its apex, I can stongly warn against it. This is of
> course a different scenario from the tld example above but some of the
> lessons may apply.
> 
> I've encountered huge problems when coming to deal with SPAM botnets -
> they like short return address (ie you make yourself a target for
> backscatter) - they do things like look up the smallest valid MX in
> their parent tree and try and relay through that etc etc.
> Also, your children often misconfigure and try and use your
> infrastructure.
> 
> My advice, based on my experience would be to stay away from this path -
> much pain lies here.

I'm not quite sure I understand all the problems you're describing
here, but you may want to consider implementing something we had when
I was DNS admin at Yahoo!. All of our critical A records had MX
records associated with them. The ones that were not supposed to
receive mail were directed to a mail server that did nothing but
bounce messages sent to it with a message that said basically, "This
host is not supposed to receive mail." (Sorry I don't recall the error
number or the configuration, that was handled by our mail guys.)

The two main benefits of this were to reduce IP traffic to the hosts
themselves, and avoid clogging up the real mail relays with spurious
messages. One could also argue that it had a positive net.citizen
contribution for those who had made honest mistakes.


hope this helps,

Doug



More information about the dns-operations mailing list