AFDB logo
mn :: comp

Verisign DNS Wildcards

On Monday September 15, 2003 the VeriSign Corporation added a wildcard A record to the .COM and .NET Top Level Domain zones in the Domain Name System, resolving to 64.94.110.11 (sitefinder.verisign.com). This is referred to as the Site Finder service, and is explained more fully at their Best Practices page (see section 3.2.2 for SMTP handling) and their Implementation page (see section 2.3.2 for SMTP handling).

The Internet community has responded very negatively to this action on VeriSign's part, which is legally quite questionable and certainly causes technical issues for many programs. The Internet Architecture Board's response may be read here. Additionally, the Internet Software Consortium has announced plans to provide a patch to BIND which will prevent resolution of the wildcard for those networks which use an up-to-date version of BIND (a figure I'd estimate to be about 5% of the Internet).

This action negatively impacts email programs specifically in the following ways:
NXDOMAIN returns: Mail Transfer Agents rely on DNS resolution to find each other. In the normal course of events, the resolver will seek for MX records; if they are not available, then A records will be used. If the domain is non-registered, the result to either query is NXDOMAIN.

Following the wildcard record insertion, non-existent .COM and .NET domain A record requests resolve with NOERROR and an IP address, in the same fashion as valid domains. This effectively removes the world-wide email network's first-level detection of invalid email addresses in the .COM and .NET domains. The following examples illustrate the problem:

NORMAL RESOLUTION OF A NON-EXISTENT DOMAIN 

[jack@gracie jack]$ dig -t mx aerlgjqkgjn.org
; <<>> DiG 9.2.1 <<>> -t mx aerlgjqkgjn.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6303
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;aerlgjqkgjn.org.               IN      MX
;; AUTHORITY SECTION:
org.                    10800   IN      SOA     tld1.ultradns.net. domadmin.ultradns.net. 2003177823 1800 900 604800 86400
;; Query time: 59 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 16 09:22:26 2003
;; MSG SIZE  rcvd: 95
==========================================================================================================================
[jack@gracie jack]$ dig -t a aerlgjqkgjn.org
; <<>> DiG 9.2.1 <<>> -t a aerlgjqkgjn.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60226
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;aerlgjqkgjn.org.               IN      A
;; AUTHORITY SECTION:
org.                    10070   IN      SOA     tld1.ultradns.net. domadmin.ultradns.net. 2003177823 1800 900 604800 86400
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 16 09:34:36 2003
;; MSG SIZE  rcvd: 95
==========================================================================================================================
DAMAGED RESOLUTION OF A NON-EXISTENT DOMAIN 
[jack@gracie jack]$ dig -t mx aerlgjqkgjn.com
; <<>> DiG 9.2.1 <<>> -t mx aerlgjqkgjn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30438
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;aerlgjqkgjn.com.               IN      MX
;; AUTHORITY SECTION:
com.                    10800   IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 2003091600 1800 900 604800 86400
;; Query time: 95 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 16 09:21:43 2003
;; MSG SIZE  rcvd: 106
==========================================================================================================================
[jack@gracie jack]$ dig -t a aerlgjqkgjn.com
; <<>> DiG 9.2.1 <<>> -t a aerlgjqkgjn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27464
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;aerlgjqkgjn.com.               IN      A
;; ANSWER SECTION:
aerlgjqkgjn.com.        900     IN      A       64.94.110.11
;; AUTHORITY SECTION:
com.                    172800  IN      NS      l.gtld-servers.net.

;; Query time: 121 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 16 09:35:36 2003
;; MSG SIZE  rcvd: 481
==========================================================================================================================
NORMAL RESOLUTION OF A EXISTING DOMAIN 
[jack@gracie jack]$ dig -t mx monkeynoodle.org
; <<>> DiG 9.2.2 <<>> -t mx monkeynoodle.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47886
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;monkeynoodle.org.              IN      MX
;; ANSWER SECTION:
monkeynoodle.org.       86400   IN      MX      30 pdx.monkeynoodle.org.
monkeynoodle.org.       86400   IN      MX      10 felix.monkeynoodle.org.
monkeynoodle.org.       86400   IN      MX      20 gracie.monkeynoodle.org.
;; AUTHORITY SECTION:
monkeynoodle.org.       86400   IN      NS      ns.monkeynoodle.org.
monkeynoodle.org.       86400   IN      NS      ns.tsoft.net.
;; ADDITIONAL SECTION:
felix.monkeynoodle.org. 86400   IN      A       198.144.201.9
gracie.monkeynoodle.org. 86400  IN      A       198.144.208.28
pdx.monkeynoodle.org.   86400   IN      A       12.203.12.195
ns.monkeynoodle.org.    86400   IN      A       198.144.201.9
;; Query time: 23 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Sep 16 20:49:55 2003
;; MSG SIZE  rcvd: 206
==========================================================================================================================
[jack@gracie jack]$ dig -t a monkeynoodle.org
; <<>> DiG 9.2.2 <<>> -t a monkeynoodle.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42077
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;monkeynoodle.org.              IN      A
;; ANSWER SECTION:
monkeynoodle.org.       86400   IN      A       198.144.201.9
;; AUTHORITY SECTION:
monkeynoodle.org.       86400   IN      NS      ns.monkeynoodle.org.
monkeynoodle.org.       86400   IN      NS      ns.tsoft.net.
;; ADDITIONAL SECTION:
ns.monkeynoodle.org.    86400   IN      A       198.144.201.9
;; Query time: 11 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Sep 16 20:48:51 2003
;; MSG SIZE  rcvd: 109
==========================================================================================================================

SMTP MTA: sitefinder.verisign.com operates an SMTP daemon as well. When the daemon is active, it will respond with a hard fail error 550, regardless of what other MTAs send to it. However, if the daemon is not active or has been blocked, the session will hang until TCP timeout occurs (typically three minutes).

In short, if Verisign's SMTP daemon is reachable and performing well, the impact on email performance will be relatively minimal. If the daemon has died or is blocked, all delivery attempts to non-existent domains will time-out and go into the retry queue. This will have significant impact on delivery times for servers handling large numbers of unverified email addresses. The impact will be exacerbated because typical MTAs will only open a few sessions per IP address in order to avoid overloading recipient MTAs.

Typically it's only spammers dealing with large volumes of unverified email addresses, though anyone with a web mail system or mailing list manager should be concerned.

SMTP Conversation with sitefinder.verisign.com 
[jack@felix jack]$ telnet 64.94.110.11 25      
Trying 64.94.110.11...
Connected to 64.94.110.11.
Escape character is '^]'.
220 snubby3-wceast Snubby Mail Rejector Daemon v1.3 ready

250 OK

250 OK

550 User domain does not exist.

250 OK

221 snubby3-wceast Snubby Mail Rejector Daemon v1.3 closing transmission channel
Connection closed by foreign host
==========================================================================================================================
[jack@gracie jack]$ time telnet zderty4w364rgbvrwth.com 25
Trying 64.94.110.11...
telnet: Unable to connect to remote host: Connection timed out
Command exited with non-zero status 1
0.00user 0.01system 3:09.00elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (248major+50minor)pagefaults 0swaps

Update: On September 16th the Snubby daemon was replaced with Postfix. Again, the system is configured to reject mail before receiving data: 

[jack@chupacabra jack]$ telnet aeg45q4ted.com 25
Trying 64.94.110.11...
Connected to aeg45q4ted.com (64.94.110.11).
Escape character is '^]'.
220 sitefinder.verisign.com VeriSign mail rejector (Postfix)
EHLO test.test.com
250-OK
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-XVERP
250 8BITMIME
MAIL FROM: name@test.com
250 Ok
RCPT TO: test@test.com
550 : Client host rejected: The domain you are trying to send mail to does not exist.
554 Error: no valid recipients

Note that the error is the same if the RCPT TO domain does exist.

Mitigation:

  1. Minimize the number of unverified addresses your forms and mailing lists by requiring verification for sign ups. This is the default configuration of many pre-built packages.
  2. It would be unwise to allow your system to communicate directly with the VeriSign SMTP daemon because its behavior may not be predictable; you should be blocking SMTP destined for it and keeping an eye on the IP address in case it changes.
  3. The most effective and flexible method of mitigation is using a firewall to block access to the address 64.94.110.11 (sitefinder.verisign.com). If your company or ISP has decided to take this course of action, request that the block type be set as REJECT rather than DENY or DROP. In other words, the ISP firewall needs to return a TCP RST packet so that the connection is killed. This will still cause your MTA to move mail for non-existent domains into the retry queue, but at least delivery attempts will fail after a few milliseconds instead of after three minutes.
  4. Many MTAs have the capability to configure the number of concurrent sessions opened to a given IP address: you could increase the number of sessions allowed to 64.94.110.11. This will only marginally improve the situation and will probably introduce other problems (such as your mail being rejected by MTAs that think you're too aggressive).
  5. If your mail system is running on Linux, a local installation of iptables may be used to implement the preferred firewall policy: For instance, a Shorewall rule of REJECT fw net:64.94.110.11 tcp 25 - produces the following behavior:

    [jack@gracie jack]$ time telnet zderty4w364rgbvrwth.com 25
Trying 64.94.110.11...
telnet: Unable to connect to remote host: Connection refused
Command exited with non-zero status 1
0.01user 0.00system 0:00.11elapsed 8%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (248major+50minor)pagefaults 0swaps
==========================================================================================================================
[jack@gracie jack]$ sudo tcpdump -n -i any tcp port 25
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any
12:58:41.056044 64.94.110.11.25 > 198.144.208.28.3886: R 0:0(0) ack 2649332002 win 0 (DF) [tos 0x10]

    Last modified: Nov 25, 2005 12:48 pm.
    Contact me.
    Powered by Zope