Firewall DNS reverse- forward lookup

admjcd admjcd at
Fri Jan 2 15:37:17 UTC 2004


   As Howard pointed out. This raptor rule can cause some false positives and reject legitimate email just because someone misconfigured their DNS. This rule seems a little too judgmental for me. I would rather keep all the mail flowing and I am not sure this rule protects us from any realthreat? I am absolutely no good at nslookup with all of the advanced DNS configurations out there. Can any one tell if has a misconfigured DNS or if this rule may be returning a false positive? I used the rdns at and it returns several IP addresses.  But again I am not sure what I am doing with nslookup!
  If I can show that this rule is returning a false positive I can have a case to get this rule turned off.

Thanks again everyone!

-----Original Message-----
From: Roger Ward [mailto:roger.ward at] 
Sent: Thursday, January 01, 2004 11:07 AM
To: admjcd
Cc: 'comp-protocols-dns-bind at'
Subject: Re: Firewall DNS reverse- forward lookup

You are thinking backwards.  It is reverse-forward, not forward-reverse-forward that matters.

The reverse lookup's hostname must match a forward lookup for that IP. 
Our mail servers, for instance, are, etc.  The round robin hostname for them is (and we have mx1 mx2 and mx3 sitting as round robin entries underneath that DNS record).

I don't use your firewall, but I have run across software which blocks based on broken dns.

Make sure the PTR record for the IP address also has an A record with the SAME IP address.


> Hello all,
>   WE are having an issue with our Raptor firewall dropping packets 
> because of a reverse - forward lookup fails. Here is the log and a 
> link to why raptor logs it:
>   " reverse address 
> doesn't match -- denied"
>   My questions is :  Is this a valid security check (reverse-forward)?  
> Is there a problem with's DNS setup? Is Raptors' rule 
> to just drop these connections valid?  How would such a rule handle 
> round-robin, where a forward lookup can return a a different IP? Or a 
> number of IP's?  Do any of you have any experience with this?  TIA  
> And happy new Year!!!.

More information about the bind-users mailing list