Firewall DNS reverse- forward lookup

phn at phn at
Fri Jan 2 15:54:39 UTC 2004

admjcd <admjcd at> wrote:
> Thanks,

>    As Howard pointed out. This raptor rule can cause some false positiv=
es and reject legitimate email just because someone misconfigured their D=
NS. This rule seems a little too judgmental for me. I would rather keep a=
ll the mail flowing and I am not sure this rule protects us from any real=
threat? I am absolutely no good at nslookup with all of the advanced DNS =
configurations out there. Can any one tell if has a miscon=
figured DNS or if this rule may be returning a false positive? I used the
 rdns at and it returns several IP addresses.  But again I a=
m not sure what I am doing with nslookup!
>   If I can show that this rule is returning a false positive I can have=
 a case to get this rule turned off. is broken all right.

A partial list :
- is delegated to :
;; ANSWER SECTION:         2D IN NS         2D IN NS         2D IN NS

However, udns[12] says :
;; ANSWER SECTION:         15M IN NS         15M IN NS has a totally diffening opinion :
;; ANSWER SECTION:         1D IN NS         1D IN NS
where "" has a bunch of 1918 addresses :  1D IN A  1D IN A  1D IN A  1D IN A  1D IN A  1D IN A

Serial numbers differs : has 2003122206
where  has 2003112237

SOA "retry" is equals "refresh
> Thanks again everyone!


> -----Original Message-----
> From: Roger Ward [mailto:roger.ward at]=20
> Sent: Thursday, January 01, 2004 11:07 AM
> To: admjcd
> Cc: 'comp-protocols-dns-bind at'
> Subject: Re: Firewall DNS reverse- forward lookup

> You are thinking backwards.  It is reverse-forward, not forward-reverse=
-forward that matters.

> The reverse lookup's hostname must match a forward lookup for that IP.=20
> Our mail servers, for instance, are, etc.  The ro=
und robin hostname for them is (and we have mx1 m=
x2 and mx3 sitting as round robin entries underneath that DNS record).

> I don't use your firewall, but I have run across software which blocks =
based on broken dns.

> Make sure the PTR record for the IP address also has an A record with t=
he SAME IP address.

> -Roger

>> Hello all,
>>   WE are having an issue with our Raptor firewall dropping packets=20
>> because of a reverse - forward lookup fails. Here is the log and a=20
>> link to why raptor logs it:
>>   " reverse address
>> doesn't match -- denied"
>>   My questions is :  Is this a valid security check (reverse-forward)?=
>> Is there a problem with's DNS setup? Is Raptors' rule=20
>> to just drop these connections valid?  How would such a rule handle=20
>> round-robin, where a forward lookup can return a a different IP? Or a=20
>> number of IP's?  Do any of you have any experience with this?  TIA =20
>> And happy new Year!!!.

Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list