[dns-operations] Getting rid of ISP's recursive DNS servers?(Was: Eircom "DNS Attacks" ?

Tomas L. Byrnes tomb at byrneit.net
Mon Jul 20 19:11:54 UTC 2009

And once that MX completes, and delivery is attempted, the receiving MTA
will often do multiple A record queries to RBLs.

I'd hazard that, given that each e-mail session generates at least 3


A for MX

And some query (if only in-addr for logging) on the receiving MTA

That e-mail far exceeds web in DNS queries.

Certainly for those users using ThreatSTOP's nameservers as full
forwarders, as opposed to solely for the zone threatstop.local, the
overwhelming query volume is to RBLs.

Yes, I know that it is highly likely that the servers querying TS are
security related, and so the sample is skewed.

Paul Mockapetris has a couple of slides in his stump speech that talk
about the spawned queries for each e-mail.

>-----Original Message-----
>From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-
>bounces at lists.dns-oarc.net] On Behalf Of Stephane Bortzmeyer
>Sent: Monday, July 20, 2009 1:46 AM
>To: Frank Bulk
>Cc: dns-operations at mail.dns-oarc.net
>Subject: Re: [dns-operations] Getting rid of ISP's recursive DNS
>servers?(Was: Eircom "DNS Attacks" ?
>On Sun, Jul 19, 2009 at 10:06:15PM -0500,
> Frank Bulk <frnkblk at iname.com> wrote
> a message of 51 lines which said:
>> To your footnote, does anyone have supporting evidence that web
>> browsing is the biggest use of DNS?
>We have ample evidence of the opposite. For instance, almost half of
>the DNS requests to the .FR authoritative name servers have query type
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net

More information about the dns-operations mailing list