[dns-operations] OT: NXDOMAIN / public resolvers and zen.spamhaus.org

Emanuele Balla (aka Skull) skull at bofhland.org
Mon Mar 28 13:23:18 UTC 2011

On 3/28/11 12:50 PM, Stephane Bortzmeyer wrote:

>> Where do they say that, exactly?!?
> In the text pointed by the URL I mentioned:
>> If you are using a free "open DNS resolver" service such as Google
>> Public DNS or Level3's public DNS servers to resolve your DNSBL
>> requests, in most cases you will receive a "not listed" (NXDOMAIN)
>> reply
> Which is blatantly false for Google Public DNS.


zarathustra:~ skull$ dig +noall +answ +comments a
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39650
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 21, ADDITIONAL: 0


zarathustra:~ skull$ dig +noall +answ +comments a @
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

Reason is, simply: if open resolvers were allowed to query for spamhaus
data, nobody would pay for commercial access.
They'll just define a forward zone for -say- sbl.spamhaus.org pointing
to an open resolver like Google Public DNS.

Therefore, big open resolvers (like google's one) are ACL's out on
spamhaus side and just get NXDOMAIN, like any other big resolver out
there violating free usage limits.

I agree that point could be explained better, but it correctly and
simply reports what spamhaus users are going to experience.

Nothing more, nothing less.

Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.

More information about the dns-operations mailing list