Archive for December, 2006

Rogers: NXDOMAIN means NXSERVICE for you

I’ve known of Rogers doing this for years, but of course, I forgot all about it until it happened to me.

About a month ago I was having problems with a Linksys WRT54G locking up sporadically. Knowing some of the Linksys $10 routers have had issues under load, probably running out of memory or something, I configured a server running a SpamAssassin daemon (spamd) to forward all of it’s DNS queries to the DNS server assigned by Rogers via DHCP in an attempt to decrease the amount of state data the router had to keep track of for all the UDP queries.

That seemed to help a little, but not much, a firmware update released in December seems to have fixed it, but that’s besides the point.

The problem with using Rogers’ DNS server is that they run a script on their query log that looks for clients who send a lot of queries that result in NXDOMAIN, indicating a machine that could be a spam zombie or otherwise infected by malware. The problem is that the script doesn’t care what the queries were for, just that they returned NXDOMAIN. So if you’re using SpamAssassin, or any other anti-spam method, and are using any sort of DNSBL, you’re going to end up getting a lot of NXDOMAIN results. Specifically, you’re going to get lots of them for every message you check.

So anyway, without any notice (of course), Rogers disabled the highspeed internet service to the cable modem this was all sitting behind. After spending two hours on hold waiting to talk to someone, I managed to (a) get them to re-activate the service, (b) tell the poor guy who insisted I try and get a position in their networking department why what they were doing was a pretty good idea, but could be implemented better, and (c) find out that the threshold for NXDOMAIN query results in a single day is really low, as in “like way less than 300″. For someone filtering their own mail to one or two addresses, it’ll probably only take them a few minutes (and certainly no more than an hour) to hit 300 NXDOMAIN results. I know that mail to just my personal domain will trigger than in only a few seconds.

Once the service was re-activated, I configured Bind to forward all queries to my own DNS servers which have a huge cache or “spam query” results (so it’s probably faster than just doing the queries recursively on this low volume machine).

Anyway… Rogers could do better by paying attention to the number domains that are causing the NXDOMAIN results. In my case, all of the NXDOMAIN results were in response to queries to only a half dozen domains, like multi.surbl.org and multi.uribl.com. Certainly not a pattern consistent with a spam zombie — at least not an effective one (it could be one who’s master host/domain has been kicked off the net). I’d think that the trade off in not detecting infected, but ineffective, hosts over the false positives in cases like mine would be acceptable, especially considering that Rogers blocks port 25 in and out — which is great.

Anywho… if you’re a Rogers Highspeed Cable Internet customer, and you’re running SpamAssassin, or whatever, or do a lot of DNS queries for some other reason, I’d avoid using their DNS servers if you want to avoid having your connection disabled.

8 comments December 31st, 2006


Calendar

December 2006
M T W T F S S
« Nov   Jan »
 123
45678910
11121314151617
18192021222324
25262728293031

Posts by Month

Posts by Category

Ohloh profile for Daryl C. W. O'Shea

LinkedIn

Apache SpamAssassin