Firewall DNS reverse- forward lookup
admjcd at volpe.dot.gov
Fri Jan 2 15:37:17 UTC 2004
As Howard pointed out. This raptor rule can cause some false positives and reject legitimate email just because someone misconfigured their DNS. This rule seems a little too judgmental for me. I would rather keep all the mail flowing and I am not sure this rule protects us from any realthreat? I am absolutely no good at nslookup with all of the advanced DNS configurations out there. Can any one tell if mail2world.com has a misconfigured DNS or if this rule may be returning a false positive? I used the rdns at samspade.org and it returns several IP addresses. But again I am not sure what I am doing with nslookup!
If I can show that this rule is returning a false positive I can have a case to get this rule turned off.
Thanks again everyone!
From: Roger Ward [mailto:roger.ward at national-net.com]
Sent: Thursday, January 01, 2004 11:07 AM
Cc: 'comp-protocols-dns-bind at isc.org'
Subject: Re: Firewall DNS reverse- forward lookup
You are thinking backwards. It is reverse-forward, not forward-reverse-forward that matters.
The reverse lookup's hostname must match a forward lookup for that IP.
Our mail servers, for instance, are mx1.mail.hostname.com, etc. The round robin hostname for them is mx-rr.mail.hostname.com (and we have mx1 mx2 and mx3 sitting as round robin entries underneath that DNS record).
I don't use your firewall, but I have run across software which blocks based on broken dns.
Make sure the PTR record for the IP address also has an A record with the SAME IP address.
> Hello all,
> WE are having an issue with our Raptor firewall dropping packets
> because of a reverse - forward lookup fails. Here is the log and a
> link to why raptor logs it:
> "mw203.mail2world.com 18.104.22.168: reverse address 22.214.171.124
> doesn't match -- denied"
> My questions is : Is this a valid security check (reverse-forward)?
> Is there a problem with mail2world.com's DNS setup? Is Raptors' rule
> to just drop these connections valid? How would such a rule handle
> round-robin, where a forward lookup can return a a different IP? Or a
> number of IP's? Do any of you have any experience with this? TIA
> And happy new Year!!!.
More information about the bind-users