nanog mailing list archives

Re: DNS question, null MX records

From: Mark Andrews <marka () isc org>
Date: Fri, 18 Dec 2009 16:44:39 +1100


In message <6eb799ab0912172126g1eac7e49ve8f803552f6dbd82 () mail gmail com>, James
 Hess writes:

On Thu, Dec 17, 2009 at 6:54 AM, Tony Finch <dot () dotat at> wrote:

On Wed, 16 Dec 2009, Douglas Otis wrote:  > more polite to use a nonexisten

t name that you control, but that doesn't   allow the source MTA to skip furt
her DNS lookups
If you want to be kind,  point the MX to an  A record that resolves to
127.0.0.1.
Common MX'es should immediately reject, and report a "configuration
error"/MX loop with the domain.

Your intent will also be clear, to just about everyone,  it will be
obvious the MX is intentionally broken.  Other tricks may be more
obscure,  will be less obvious  that you don't want mail, and may look
like a mistake  --  you might even get visitors to your domain
contacting you  to report the broken MX record.

An alternative to resolving MX to an invalid IP might be to cut to the
chase and just  make further  DNS lookups impossible altogether...

@                604800 IN MX                   MX.BOGUSMX
BOGUSNS  604800 IN  A                      0.0.0.0
BOGUSMX 604800  IN  NS                   BOGUSNS

Or  for that matter  delegate the subdomain to  255.255.255.255.
The recursive resolvers  already have to immediately reject DNS
delegation to broadcast addresses and the like.

Though  i'd be afraid of finding that some obscure resolver didn't......

[EG] "Gee thanks... some spammer exploited my open relay,  and your
broadcast NS delegation,  caused  my LAN to get swamped  by my mail
servers'  DNS lookups while it was trying to send the  10 million
spams to you...."

--
-J


Just document "MX 0 ." and be done with it.  MTA and MUA vendors
will update their products.  Most caching nameserver negatively
cache the non-existance of address records so the traffic is mostly
between the non-updated MTA and the recursive server.

2 queries (A and AAAA) every 3 hours won't kill the roots.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: DNS question, null MX records, (continued)
- - - Re: DNS question, null MX records Douglas Otis (Dec 16)
    - Re: DNS question, null MX records Joe Abley (Dec 16)
    - Re: DNS question, null MX records Douglas Otis (Dec 16)
    - Re: DNS question, null MX records Paul Vixie (Dec 16)
    - Re: DNS question, null MX records Douglas Otis (Dec 16)
    - Re: DNS question, null MX records Paul Vixie (Dec 16)
    - RE: DNS question, null MX records Jay Mitchell (Dec 18)
    - Re: DNS question, null MX records Tony Finch (Dec 17)
    - Re: DNS question, null MX records Douglas Otis (Dec 17)
    - Re: DNS question, null MX records James Hess (Dec 17)
    - Re: DNS question, null MX records Mark Andrews (Dec 17)
    - Re: DNS question, null MX records Tony Finch (Dec 18)
- RE: DNS question, null MX records *summary of on list and off list replies* Eric J Esslinger (Dec 15)
  - Re: DNS question, null MX records *summary of on list and off list replies* Phil Vandry (Dec 15)