Re: [Asrg] RMX & DNS: double advantage

[wayne <wayne@midwestcs.com>]

In <20030307094119.GA2821@danisch.de> Hadmut Danisch <hadmut@danisch.de> writes:

> Imagine an attacker wants to block e-mail traffic from 
> A.com to B.com. All he needs to do is to send a fake message
> with sender address A.com to B.com to cause B.com's DNS to 
> ask for A.com's RMX entry, and to send a fake answer with a 
> random address in the RMX entry and a long TTL. From now on, 
> B.com will reject messages from A.com.


It should be pointed out that DNSBLs, including domain specific
DNSBLs, use the *absence* of an A record as an indication that IP
address is ok.  Negative DNS responses are generally not cached
anywhere near as log as positive results.  I do not know if this was a
design decision on the part of DNSBLs, or just a result of it being
easier to create that way.

However, the results of using domain specific DNSBLs instead of RMX
records are:

1) An attacker must *prevent* a DNS response instead of creating a
   bogus DNS response.

2) The results of a successful attack generally won't last as long.

3) In the (hopefully) typical case of valid email, there is a higher
   load on blacklists, including DSDNSBLs.  This doesn't seem to be a
   huge problem for DNSBLs, but it is worth point out.


Anyway, I still don't know why people would prefer RMX records over
domain specific DNSBLs.  DSDNSBLs, after all, can be trivially
implemented today, while RMX records require bind changes.


-wayne




_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg