Autor: W B Hacker Data: A: exim users Assumpte: Re: [exim] Tricky DNS servers [OT]
Hi Marc,
Marc Perkel wrote: > I have a few weird ideas
I suspect that part has long-since been taken as 'stipulated'....
;-)
> and would need a smart DNS server of some sort
> to pull it off. Basically looking for a programmable backend that might
> do DNS lookups itself.
>
> Here's a possible example. There are servers out there that return
> country codes of IP addresses. But what about a country code for a host
> name? You would have to do an IP lookup on the host and then use the IP
> to get a country code.
>
> So - is there source code for something like this or a DNS server with a
> scripting language?
>
Depends on what percentage of traffic you need/want to research, and how
often it is likely to change.
Basically, you probably don't need a 'real' DNS critter, nor frequent
off-box lookups, at all. Avoidable delay. Avoidable overhead to do it
another way.
Ex: To the extent an MTA (or any other app) relies on the OS for
resolutions, a file or DB can be given top of the food chain priority in
the resolver config (/etc/resolv.conf and spitniks or equivalent).
That being checked first, any known 'bad actors' can be given wotever
return you choose to place there.
Take browsing as an example: Mine has 3 or 4 thousand entries that
divert Facepoop, Twitshit, Google Anals, Ewetoob, all other social
diseases, trackers and advertising sites I have been able to ID or
download DBs of to localhost.
IOW 'You cannot get THERE from HERE'.
Faster, cleaner, less annoying browsing ensues. MUCH faster. Safer as
well, one supposes.
Back to an MTA:
A LBL handles the same on SUBMITTED traffic. So far I haven't needed
much in the way of preventing an outbound send.
But it shouldn't be all that different to sequester MTA's you don't want
to deal with. A dynamic, DB-driven LBL need not be DNS entangled, so
long as you have an external mechanism - manual or automated - to feed it.
As to country code and GEOIP?
More unpredictable holes in those than a collander handmade in the dark
by a drunk... too much pain, too little gain to bother with it.
LBL an entire <tld>? Sure. .tv, .info and the like.
But generally NOT an entire country code. Go for the careless network
operator's assigned blocks, not their location.
I doubt I have over 70% of the worst-case former East Bloc or Brazilian
networks blocked, and not even 10% of China, Korea, Taiwan.
Not permanently anyway. But I have their worst 'bad boys' LBL'd