Rogers: NXDOMAIN means NXSERVICE for you
December 31st, 2006
I’ve known of Rogers doing this for years, but of course, I forgot all about it until it happened to me.
About a month ago I was having problems with a Linksys WRT54G locking up sporadically. Knowing some of the Linksys $10 routers have had issues under load, probably running out of memory or something, I configured a server running a SpamAssassin daemon (spamd) to forward all of it’s DNS queries to the DNS server assigned by Rogers via DHCP in an attempt to decrease the amount of state data the router had to keep track of for all the UDP queries.
That seemed to help a little, but not much, a firmware update released in December seems to have fixed it, but that’s besides the point.
The problem with using Rogers’ DNS server is that they run a script on their query log that looks for clients who send a lot of queries that result in NXDOMAIN, indicating a machine that could be a spam zombie or otherwise infected by malware. The problem is that the script doesn’t care what the queries were for, just that they returned NXDOMAIN. So if you’re using SpamAssassin, or any other anti-spam method, and are using any sort of DNSBL, you’re going to end up getting a lot of NXDOMAIN results. Specifically, you’re going to get lots of them for every message you check.
So anyway, without any notice (of course), Rogers disabled the highspeed internet service to the cable modem this was all sitting behind. After spending two hours on hold waiting to talk to someone, I managed to (a) get them to re-activate the service, (b) tell the poor guy who insisted I try and get a position in their networking department why what they were doing was a pretty good idea, but could be implemented better, and (c) find out that the threshold for NXDOMAIN query results in a single day is really low, as in “like way less than 300″. For someone filtering their own mail to one or two addresses, it’ll probably only take them a few minutes (and certainly no more than an hour) to hit 300 NXDOMAIN results. I know that mail to just my personal domain will trigger than in only a few seconds.
Once the service was re-activated, I configured Bind to forward all queries to my own DNS servers which have a huge cache or “spam query” results (so it’s probably faster than just doing the queries recursively on this low volume machine).
Anyway… Rogers could do better by paying attention to the number domains that are causing the NXDOMAIN results. In my case, all of the NXDOMAIN results were in response to queries to only a half dozen domains, like multi.surbl.org and multi.uribl.com. Certainly not a pattern consistent with a spam zombie — at least not an effective one (it could be one who’s master host/domain has been kicked off the net). I’d think that the trade off in not detecting infected, but ineffective, hosts over the false positives in cases like mine would be acceptable, especially considering that Rogers blocks port 25 in and out — which is great.
Anywho… if you’re a Rogers Highspeed Cable Internet customer, and you’re running SpamAssassin, or whatever, or do a lot of DNS queries for some other reason, I’d avoid using their DNS servers if you want to avoid having your connection disabled.
Entry Filed under: Email, Technology
8 Comments Add your own
1. cdy | January 3rd, 2007 at 2:49 pm
Are you using a business or home service?
2. dos | January 3rd, 2007 at 3:21 pm
This particular connection was a residential service filtering my personal mail. No outward facing network services are hosted on this connection. Regardless, I’ve seen the same thing happen to business class internet service from Rogers too.
3. Rick Wesson | January 3rd, 2007 at 4:41 pm
point your resolver at opendns.org they are fast and won’t filter your requests.
Give it a try I bet its even faster than Rodgers DNS servers.
Their name servers are anycasted too
208.67.222.222
208.67.220.220
4. dos | January 3rd, 2007 at 5:07 pm
Hi Rick,
Forwarding to my own recursive DNS servers is working fine. Actually, now that the firmware issue with the router is resolved, I could probably skip the forwarding all together… but I might as well use my extensive cache.
One problem people should be aware of with using OpenDNS with their mail servers, though, is that you need to disable their typo correction feature to avoid false positives when doing DNSBL, and other DNS based, lookups.
http://www.opendns.com/faq/#mail_server
5. Andy Muller | January 31st, 2007 at 8:55 pm
We also have been using Rogers Business solutions
we pay for business connectivity $200 mth. use exchange server with a spam appliance that naturally hits the dns servers frequently. Yup they have disconnected us many times. Told us to stop using the dns server.What a crock. We are not a homeowner using a mail server. No choice to move to another provider. Can not convince Rogers what we are doing is legit traffic. They don’t seem to care.
6. dos | February 1st, 2007 at 5:31 pm
Hi Andy,
I know it’s a pain (especially when they cut you off without notice and you assume it’s just good ol’ reliable cable) but I’m actually glad to see that they’re doing what they can to ensure that their network isn’t a source of problems for the rest of us. I’d just like to see them do a better job of it. There’s no reason that this problem couldn’t be eliminated with the change of maybe a dozen lines of code in under five minutes.
Changing your DNS topology so that you avoid their name servers is painless and effective. I’ve had no problems with them on connections that didn’t use their name servers.
If you’d like to forward queries to someone else’s name servers, rather than do the queries directly on your own server, OpenDNS is a safe choice. They’ve recently permanently disabled their typo correction feature for both of the public URIBLs. They did the same thing for DNSBLs back in the summer.
I know that dealing with Rogers can be a pain in the ass, but their $200 connection can (depending on the cable network you’re on) be reliable enough to not need to shell out $400 a month to Bell for ADSL, and a /27, with no bandwidth caps. That is unless you’re one of the few who can live with a 15GB cap for $140 a month. There’s also the $90 a month unlimited SDSL with a single static IP that’s an option. Of course, it sounds like you’re in no-DSL land, so none are an option for you.
7. Andy Muller | February 1st, 2007 at 10:55 pm
Thanks for the comments.
We also can not create a PTR record for our mail server.
Rogers refuses to so so. Why ??
The only thing I can think of is our static ip is really not a static ip.
It is a dynamic IP that does not renew or they renew the same IP to our managed router. Am I making sense. ?
8. dos | February 3rd, 2007 at 5:42 pm
Most really large providers won’t set custom PTR records for single IPs. Rogers falls in that category. Most regional ISPs will though.
If you’re paying for a static IP from Rogers (which I believe the $200 plan includes 1… I can’t remember what up to 8 IPs costs) it’s a static IP — it doesn’t matter that it’s configured via DHCP. Unlike dynamic IP’d connections, you won’t lose the IP if you don’t renew it for a while (IIRC their expire time is somewhere around 24 or 36 hours).
Anyway… if you want to send mail directly, your best bet is to set your mail server to HELO as whatever your IPs PTR record resolves to. As long as the IP isn’t also in a DNSBL, like Sorbs’ DUHL list (even though it’s static), you’ll be able to send mail to most systems. If it is listed in common DNSBLs you’re best off smarthosting through Rogers’ mail system (which is run by Yahoo!) or someone else’s mail system that has a better reputataion that Yahoo!’s (via port 465 or 587).
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed