Re: relays.ordb.org blacklisting all IPs (fwd)

Re: relays.ordb.org blacklisting all IPs (fwd)

am 02.04.2008 03:16:00 von aoberlin

On Mar 30, 6:34=A0pm, Res wrote:
> On Sun, 30 Mar 2008, Clemens Zauner wrote:
> > Oh. Great. Because one's to f***ing stupid to maintain one's mailserver
> > he's going to tinker with other peoples zones in his DNS setup. Yeah,
> > thats the way to go. As it shows the same clue-level regarding email
> > and DNS.
>
> yup, becasue I dont assume all corporate clients with their own
> mailservers are guru's, I implimented that work around for osirusoft
> years ago, as not every client can have their IT contractor drop
> everything and attend to their problems on a weekend for instance.
> It was appreciated by our clients and thats all *I* care about, I dont
> care about anything else so long as they are happy.
>
> --
> Cheers
> Res
>
> mysql> update auth set Framed-IP-Address=3D'127.0.0.127' where user=3D 'tr=
oll';

I guess some people just don't have a clue about the contracting
world. There are many companies out there that only call when they
have a problem or just have a contract computer company come in for a
couple hours every now in then to check stuff out. Just because these
companies don't have a full time IT person or a budget that allows
them to, doesn't mean they deserve to have their company's e-mail
taken down because people decide to be idiots. Really, honestly, is
it to much to ask have them make some changes to their DNS. They took
on the responsibility of hosting this service they should respect that
responsibility and do the right thing. Imagine how much money was
spent on troubleshooting this problem around the nation. I know that
Astaro had to release a patch for it.

For all you negative nancys, oh how nice it would be to sit back and
throw jabs and act like you know what the hell you are talking about
on a little forum. I can pretty much guarantee you that I solve more
problems in 1 week then most of you will solve in a year. Thats the
one thing I hate about this field is all the arrogant a-holes that act
like they know everything. I hate to tell you this but if you think
you everything about computers and networks you don't have a clue.

P's out,

Keep up the good fight Res

Re: relays.ordb.org blacklisting all IPs (fwd)

am 02.04.2008 06:09:42 von gtaylor

On 4/1/2008 8:16 PM, aoberlin@gmail.com wrote:
> I guess some people just don't have a clue about the contracting
> world. There are many companies out there that only call when they
> have a problem or just have a contract computer company come in for a
> couple hours every now in then to check stuff out. Just because these
> companies don't have a full time IT person or a budget that allows
> them to, doesn't mean they deserve to have their company's e-mail
> taken down because people decide to be idiots. Really, honestly, is
> it to much to ask have them make some changes to their DNS. They took
> on the responsibility of hosting this service they should respect that
> responsibility and do the right thing. Imagine how much money was
> spent on troubleshooting this problem around the nation. I know that
> Astaro had to release a patch for it.

Question(s):
- How do you get people that are querying a dead system to stop
querying it?
- How many months / years should someone pay for a service bandwidth
for a service that has been dead for 14+ months? 2 years? Longer?
- How long are you willing to pay to host 50 GB of traffic a month for
a service that is dead?
- What would you do that is different than what ORDB has done?

> For all you negative nancys, oh how nice it would be to sit back and
> throw jabs and act like you know what the hell you are talking about
> on a little forum. I can pretty much guarantee you that I solve more
> problems in 1 week then most of you will solve in a year. Thats the
> one thing I hate about this field is all the arrogant a-holes that act
> like they know everything. I hate to tell you this but if you think
> you everything about computers and networks you don't have a clue.

Rather than throwing jabs your self, how about throwing down some
information for discussion? Please answer the above questions. Please
persuade me ("show me the light" if you will) why and / or how what ORDB
did was wrong and explain what you would have done different. Will your
solution hold up now, 1 month from now, 1 year from now, 5 years from
now? Would you still be willing to pay for the resources for your
defunct service 5 or 10 years from now?



Grant. . . .

Re: relays.ordb.org blacklisting all IPs (fwd)

am 02.04.2008 07:58:39 von gtaylor

On 4/1/2008 11:30 PM, Res wrote:
> This is exactly the point, the entire domain is moot, removing the
> name servers from zone, setting thme to 127.0.0.1, dropping the zone
> sicne they dont want it, it has no use these days. It has no A
> records, www has no A records, it has no MX record, but yet they
> still have records to block everyone querrying *.relays.ordb.org
> petty absolutely fucking petty.

For the sake of the on going discussion please clarify what you want
ORDB to do and where you would like them to do it.

Are you wanting ORDB to:
- Remove NS records for the relays.ordb.org sub-domain from the
ordb.org zone?
- Set the A record referenced in the glue records for the
relays.ordb.org sub-domain to 127.0.0.1?
- Remove all references to the relays.ordb.org sub-domain?
- Remove all ORDB zones?
- Set glue records with Tucows to 127.0.0.1?
- Remove the glue records with Tucows if possible?

> since your in the business of calling others, I'll call you, show me
> the evidence they ar ehit with 50G a month

Fair enough. I will first say that I do not have any ""evidence per say
(logs, reports, etc from ORDB), but I can run (what I believe to be)
extremely conservative numbers to come up with the amount of traffic
that their DNS servers would see.

Please reference my 2nd & 3rd message in the Google archive
http://groups.google.com/group/comp.mail.sendmail/browse_thr ead/thread/8a634fe99fe90ab5#

From my second message you can see how I derived the size of queries
and replies. Below are the formulas that I used to run the numbers.

I found that there were (approximately) 246 country codes. I'm going to
presume that ORDB is receiving at least one query per second per country
code. I feel confident that this is a very safe number to use.

Per my other posts, I found that a query is 85 bytes and a reply is 202
bytes, making a query and reply 287 bytes.

If we take the 85 (bytes per query) * 246 (country codes) is 20910 bytes
per second or 20.9 kB per second of DNS query traffic.

If we take the 85 (bytes per query) * 246 (country codes) * 60 (second
per minute) * 60 (minutes per hour) * 24 (hours per day) is 1806624000
bytes per day or 1806624 kB per day or 1806.6 MB per day or 1.8 GB per
day of DNS query traffic.

If we take the 85 (bytes per query) * 246 (country codes) * 60 (second
per minute) * 60 (minutes per hour) * 24 (hours per day) * 30 (days per
month) is 54198720000 bytes per month or 54198720 kB per month or
54198.7 MB per month or 54.1 GB per month of DNS query traffic.

If we use the same equations with the size of the reply and the size of
the query and reply combined we get the following numbers:

DNS reply traffic
202 * 246 = 49692 B or 49.69 kB per second
202 * 246 * 60 * 60 * 24 = 4293388800 B or 4293388.8 kB or 4293.3 MB or
4.2 GB per day
202 * 246 * 60 * 60 * 24 * 30 = 128801664000 B or 128801664 kB or
128801.6 MB or 128.8 GB per month

Combined DNS query and reply traffic
287 * 246 = 70602 B or 70.6 kB per second
287 * 246 * 60 * 60 * 24 = 6100012800 B or 6100012.8 kB or 6100 MB or
6.1 GB per day
287 * 246 * 60 * 60 * 24 * 30 = 183000384000 B or 183000384 kB or
183000.3 MB or 183 GB per month

I think it is fairly obvious that this is a LOT of traffic that has to
be absorbed by someone's DNS servers. What is worse is that this amount
of traffic is very unlikely to taper off very fast at all if nothing is
done to encourage people to stop querying the servers. Hence why I
believe ORDB decided to switch to collateral damage after being closed
for 14+ months all the wile handling 183 GB (or more) traffic for a
defunct service.

With these numbers in mind, let's see how what I believe you are wanting
ORDB to do stacks up.

- Remove NS records for the relays.ordb.org sub-domain from the
ordb.org zone?

Systems will still be querying the ordb.org zone for the sub-domain,
thus the traffic numbers still apply. Adjust the size of queries and
replies for the sizes of packets if need be. However this number will
still be very large.

- Set the A record referenced in the glue records for the
relays.ordb.org sub-domain to 127.0.0.1?

(same as above)

- Remove all references to the relays.ordb.org sub-domain?

(same as above)

- Remove all ORDB zones?

Systems will still query the ORDB zone name servers looking for
records. Still very similar to above.

- Set glue records with Tucows to 127.0.0.1?

Root name servers will still receive traffic looking for the name
servers for the ORDB zone.

- Remove the glue records with Tucows if possible?

Root name servers will still be queried.

What is worse with doing the above is that most of the systems that are
still querying ORDB after being closed for 14+ months will continue to
do so for quite a while to come. What incentive do all the companies
like aoberlin is referring to have to bring someone in to correct the
problem if at worst they have a DNS timeout per message passing through
their system? How long do you think it will be before someone does
remove ORDB from the config? I'm betting that ORDB will stay in the
config until the system is replaced with something new, so most likely
sometime with in the next 5 years (give or take). What if someone
copies the old config to the next system? How many new systems down the
road will be able to use the old config file or .mc file? Let's say 3
generations with a 5 year life cycle. Now we are up to 11 years if we
say the replacement cycle is every 3 years and we take off the 14 months
that have passed. All this time will add up to a *LOT* of wasted
bandwidth and $$$ because people do not update their config.

This is why I think it perfectly reasonable for ORDB to result to some
action that will ensure that people will want to update their config.
ORDB has been defunct for 14+ months. Any one that was going to update
their config on their own accord has done so already. I'm willing to
bet that a very large majority of systems that were querying ORDB a week
ago are no longer querying ORDB. Let's just say that the number is cut
bu 10%. Here is a simple list of the number of queries per second for
each week for the next 6 months:

Week Query / Sec
1 246
2 221.4
3 199.2
4 179.2
5 161.2
6 145
7 130.5
8 117.4
9 105.6
10 95
11 85.5
12 76.9
13 69.2
14 62.2
15 55.9
16 50.3
17 45.2
18 40.6
19 36.5
20 32.8
21 29.5
22 26.5
23 23.8
24 21.4

If I run the numbers out with a 10% drop per week, all queries should be
stopped by the 60 weeks. For the curious, if the number of queries per
week is cut in half, with in 13 weeks all queries should be stopped.
Cut in to a quarter and you are down to 7 weeks.

Compare the operational costs of doing this verses answering queries for
the coming years.



Grant. . . .

Re: relays.ordb.org blacklisting all IPs (fwd)

am 02.04.2008 08:57:09 von spam

wrote in message
news:2582e793-3ebf-41cc-ae5a-30844c2f2bdb@e39g2000hsf.google groups.com...
For all you negative nancys, oh how nice it would be to sit back and
throw jabs and act like you know what the hell you are talking about
on a little forum. I can pretty much guarantee you that I solve more
problems in 1 week then most of you will solve in a year. Thats the
one thing I hate about this field is all the arrogant a-holes that act
like they know everything. I hate to tell you this but if you think
you everything about computers and networks you don't have a clue.


Maybe that's because some of us learn about such things and make changes
BEFORE any problems arise.

I don't claim to know "everything" but I do keep up with services I actually
use.

Re: relays.ordb.org blacklisting all IPs (fwd)

am 07.04.2008 12:37:01 von unknown

Post removed (X-No-Archive: yes)

Re: relays.ordb.org blacklisting all IPs (fwd)

am 07.04.2008 18:29:30 von gtaylor

On 04/07/08 05:37, Res wrote:
> To this, or a blackhole IP so it creates timeouts trying to connect

Please clarify "blackhole IP".

> That wont matter because they will still as you rightfully pointed out
> get 'hit'

*nod*

> This would be a second best guess, and maybe the best, they clearly are
> not using the domain at all, they have no sub domains and have no mx, so
> its really a 'dead' domain.

This would tie the domain up and prevent re-registration while making it
impossible to query the zone.

> This really is very little for DNS.

Agreed. I was just trying to show an example using some numbers that I
thought we could all agree on and look at the resulting amount of
traffic with out disagreeing on the basis for the math.

> I do note, upon a check tonight, that (within the past week at least)
> they have changed their msg...
>
> "1.2.3.4.relays.ordb.org descriptive text "ordb.org was shut down on
> December 18, 2006. Please remove from your mailserver."
>
> This is far more informative then the crap they gave a week ago that
> bascially only said POQ.

Agreed.

However, I'm seeing different results when I do the same test.

> nslookup 206.152.114.68.relays.ordb.org
Server: 206.152.114.66
Address: 206.152.114.66#53

Non-authoritative answer:
Name: 206.152.114.68.relays.ordb.org
Address: 127.0.0.2


> nslookup -query=ns ordb.org
Server: 206.152.114.66
Address: 206.152.114.66#53

Non-authoritative answer:
ordb.org nameserver = koala.droso.dk.
ordb.org nameserver = auth02.ns.tele.dk.

Authoritative answers can be found from:
koala.droso.dk internet address = 87.51.32.6
auth02.ns.tele.dk internet address = 194.192.207.166


> nslookup 1.2.3.4.relays.ordb.org koala.droso.dk
Server: koala.droso.dk
Address: 87.51.32.6#53

Name: 1.2.3.4.relays.ordb.org
Address: 127.0.0.2


> nslookup 1.2.3.4.relays.ordb.org auth02.ns.tele.dk
Server: auth02.ns.tele.dk
Address: 194.192.207.166#53

** server can't find 1.2.3.4.relays.ordb.org: SERVFAIL

As you can see, koala is still reporting the 127.0.0.2 address.

> A typical ISP's name server would see this easily, each of ours do anyway.

Agreed. (See above about the amount of traffic.)

> As they do for trillions of other rubbishy domains, thats why they are
> localised with BGP to distribute the loads.

*nod*

> Again, this is the risk they take when operating such a service, it is
> also why most use BGP to geographically locate servers, if ordb ran only
> their servers in one location they have no one else to blame but
> themselves, running an RBL is just like running an IRC server, you must
> expect the shit to hit the fan more than once :)

Ok...



Grant. . . .

Re: relays.ordb.org blacklisting all IPs (fwd)

am 08.04.2008 03:42:30 von unknown

Post removed (X-No-Archive: yes)

Re: relays.ordb.org blacklisting all IPs (fwd)

am 08.04.2008 06:33:46 von gtaylor

On 4/7/2008 8:42 PM, Res wrote:
> 169.254.0.1 is typcially used

*nod*

I take it that blackholed means any IP address that should not be routed
across the internet?

> Yes it would, so maybe suggestion "A" is in fact more appropriate

Probably.

> maybe 'tele' dumped it :)

*nod*

> Guess we'll have to agree to disagree on how this should have been handled?

Works for me.



Grant. . . .

Re: relays.ordb.org blacklisting all IPs (fwd)

am 08.04.2008 08:50:46 von unknown

Post removed (X-No-Archive: yes)