On 4/10/2021 6:55 AM, Jared Hall wrote:
> Rob, I gotta say that I am impressed with the whole Spamhaus-dqs
> program and their use of customer keyed DNS zone queries. Seems to be
> the way around the client DNS forwarder issues. How are you guys at
> Invaluement tracking in that area?
I'm not sure I'm understanding what you're saying? Are you referring to
the fact that their paid customers doing direct queries (NOT the free
stuff!) - use zone names that have a unique key embedded into the actual
zone - so that the queries can then be distinguished by this unique key?
- thus eliminating the need to use the client's local DNS servers'
public IP as the method of allowing/denying direct queries? Is that what
you're referring to?
> Seems to be the way around the client DNS forwarder issues
If I'm correct about what you meant - then yes - this eliminates
problems that used to happen when trying to track customers, and
permission, by IP - because when tracking by an embedded code - then it
doesn't matter from WHERE the queries come - and queries that come from
public DNS servers (8.8.8.8 or 1.1.1.1) - can be distinguished one from
the other - whereas when not doing this - it's impossible to tell
distinguish the queries from each other and know who is doing them. This
became especially important because so often the default caching DNS
server gets auto-flipped to 8.8.8.8, sometimes without the IT person's
knowledge! And many IT people think that pointing to 8.8.8.8 is the
textbook way to setup DNS - and have never even heard of things like BIND.
Is THAT what you're talking about?
If so, at invaluement, we've been doing this for 3 years now - but we
still have a lot of work to do in migrating many long-time customers
over to our new system. And it was developed before I even knew that
Spamhaus was doing it this way, and this involved some extremely
complex custom modifications of rbldnsd (I couldn't afford to hire an
expensive high-quality C++ programmer at the time - so it took me about
100 hours of very intense programming to do that! It didn't help that
I'm not very good at C++!). I'm not even sure when Spamhaus started this.
Our new system for doing this now involves 86 servers in 43 cities
around the world - which enables our clients to get their queries
answered much faster due to accessing an invaluement DNS server with an
extremely close geolocation. Queries then tend to get answered in a very
low number of milliseconds - often <10ms.
-- Rob McEwen
https://www.invaluement.com +1 (478) 475-9032