1. 4
  1.  

  2. 5

    Unfortunately you don’t want to have this without a significant DNS protocol change (which is effectively impossible). The problem is that in stock DNS you would have to make a second DNS query for these SPF records every time you looked up a website name and followed a CNAME record (and there are a lot of people who have CNAME records for websites, often very high volume ones). This second query adds at least a certain amount of latency to what is already a hot path that no one wants to slow down. To avoid this second query the initial CNAME-chasing DNS query would have to carry some information about why you were looking up records in example.com, which is the bit that would need a protocol change.

    (Theoretically your DNS servers for example.com could always return this SPF-like data as additional data included in the initial DNS reply and so hope to preempt the second query. In practice I believe that almost all DNS resolvers in existence would discard it when they received it from you, for good security-related reasons.)

    But a solution for CNAMEs is incomplete, because people do this same trick with IP addresses; they give mysite.com the IP address of your example.com when you don’t host them. A SPF-equivalent for DNS A records is a much harder problem, on top of having the same ‘second DNS query’ problem as CNAME SPF-equivalents.

    (So why does SPF work for email, to the extent that it does? The big reason is that DNS queries during SMTP conversations are far less latency sensitive than DNS queries while a user is loading a website.)

    1. 1

      So there’s some other complaints, but another reason this is trouble is it’s not like SPF. Consider what your SPF like record would look like for blogspot, who host about a million sites via cname. That’s an enormous TXT record…

      1. 1

        Or none at all (which could translate to “allow from all”)

        1. 2

          They could do that, but I think a good whitelist design shouldn’t just punt and say “all” for large lists. I can agree that large companies like google can handle some extra traffic, but ideally that shouldn’t be baked into the proposal.

      2. 1

        I know that technical solution is correct in the best kind of correctness, but couldn’t it be reported to some kind of abuse department? Or could the owner of the domain be contacted and reasoned with?

        1. 1

          In this situation there is no dispute form or ramification for this. I would point my domain A record @ IN A 127.0.0.1 and move pages or sites to a sub domain and monitor.

          1. 1

            That would limit traffic, but make our domain (sans subdomain) unusable. I guess the best one can do aside from your suggestion, in Apache language, is to make a “VirtualHost” and return a 404 on everything for as far as http(s) goes. This mitigates it somewhat, but for any other service you’re still not out of the woods.

            The problem sadly isn’t limited to websites. Requesting the domain’s MX record also returns a CNAME to us. Not smart from the owner: we could enable email for this domain. We don’t, but we could. But aside from that, email is far less easy to redirect. So it’s a very nasty problem.

            1. 2

              There are a variety of things you could serve to visitors making requests for other sites; eg a ‘name and shame’ of the other domain owner.

              On 1 Apr 2017, at 8:31 am, voidzero voidzero@lobste.rs wrote:

              That would limit traffic, but make our domain (sans subdomain) unusable. I guess the best one can do aside from your suggestion, in Apache language, is to make a “VirtualHost” and return a 404 on everything for as far as http(s) goes. This mitigates it somewhat, but for any other service you’re still not out of the woods.

              The problem sadly isn’t limited to websites. Requesting the domain’s MX record also returns a CNAME to us. Not smart from the owner: we could enable email for this domain. We don’t, but we could. But aside from that, email is far less easy to redirect. So it’s a very nasty problem.

              – Vote: https://lobste.rs/c/sj84jb