Reverse DNS

  • Thread starter Thread starter Frankster
  • Start date Start date
F

Frankster

Regarding Internet connectivity specifically:

Why might I need a reverse DNS record?

Some say not to configure one thinking less information given out is better.

Others say yes, but why? How does it help?

I run a web server, email server, application server (Terminal Server) on a
W2K3 machine.

Thanks,

-Frank
 
Frank,
Please read RFC 2505 (http://www.faqs.org/rfcs/rfc2505.html) to get some
back ground on why it is recommended to have reverse entries for mail
servers.

Also, many of the major service providers are filtering mail based on
valid/invalid reverse entries. For a starting point on that take a look at
http://postmaster.aol.com/

You might also be interested in SPF (http://spf.pobox.com) as it deals with
some similar issues for mail delivery.

Regards,
Ed Horley
Microsoft MVP - Server Networking
 
Frankster said:
Regarding Internet connectivity specifically:

Why might I need a reverse DNS record?
Click to expand...

You might not. Except for the SMTP server you
use to send out email -- there it is typically required
by other SMTP servers in order for them to accept
email from it.
Some say not to configure one thinking less information given out is
Click to expand...
better.

Generally true. No point in most cases.
Others say yes, but why? How does it help?

I run a web server, email server, application server (Terminal Server) on a
W2K3 machine.
Click to expand...

The email server "reported name" (in the SMTP software)
must generally match the name returned by the reverse
lookup of the address it uses, and this name must be an
MX record in SOMEBODY's zone (not necessary yours,
as email servers don't have any direct relationship to
the domains -- plural -- that they might service.)
 
Ed,

Thank you for all the good references below. I appreciate it and will look
at them.

I should have crossposted this query I guess. I wound up asking in a few
different forums. Anyway, I will paste below one of my replies to another
group. I would welcome your comments on my logic. Admittedly, this was
posted before I read the references you provided :)

Thanks,

-Frank

---------start----------

I think you hit the proverbial nail on the head. SPAM filtering techniques
have greatly improved in the last few years. As you say, RDNS used to be
one of the only possible criteria but now is but a small fraction of the
total SPAM identification techniques, which now use almost exclusively
mathematically weighted algorithms.

I've read that the practice of refusing mail based on not having RDNS has
almost disappeared. My own mail server has that capability also, but I
don't enable that feature. As I suspect not many others do either. My own
mail server has a mathematically weighted and configurable SPAM system too.
Works well.

Anyway, I removed my reverse DNS listing about two weeks ago and have had no
problem with email. I run a server with 4 domains pointing to the same IP.
All have web presence and mail. I think I'll leave it that way until I have
problems.

Funny, it's not really mail that causes me to want to remove it. It is web
surfing. I run a Firewall with NAT so that all surfing from any of my
internal machines appears to be coming from that firewall. I'd prefer not
to have surfing activities identified by RDNS. I am convinced that a lot of
SPAM I do receive comes from unscrupulous folks garnering my RDNS info.

Example: I can look in my mail logs and see repeated attempts to send mail
to non existent userID's. (i.e. (e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), etc., etc., etc.)

Now each of these always uses the domain name I had configured in reverse
lookup. Remember, I have 4 domains pointed to this IP. Only the one
configured as reverse lookup was the target of this type of SPAM.

Bottom line, I like it better without RDNS. Only time will tell if it truly
causes any trouble.

Thank you for your post. I would be interested if you have any more
thoughts on this matter.

-Frank

---------------end------------------
 
BTW... my mailserver DOES include, in the configured header, a valid fully
qualified mail host name (with proper MX record). However, it is no longer
able to be matched with a reverse DNS lookup. Just FYI...

-Frank
 
Frank,
Hope you found the links some interesting reading. There is no specific
requirement in RFC 2505 regarding matching forward reverse for MTA's - I
think section 2.5 comes the closest to saying it. They basically say until
secure DNS is available there is no way to tell with a 100% that the records
you are given are correct unless you own them.

AOL and several other service providers are looking more carefully at
forward/reverse matches for MTA's. Many are also using SPF and DomainKeys.
Often, the safest processes is to build your systems to conform for all of
the proposed and de facto solutions out there. That means rDNS, SPF,
Blacklists/Whitelists, and anything else that is coming down the pipe like
DomainKeys is now.

Basically, all the large service providers are doing this for two reason.
One is truly to reduce the amount of SPAM on the net - it does cost them
money. The other reason is that for small business and home users it
becomes almost impossible to run these services yourself properly anymore.
That means you fall off the Internet for your core e-mail service since you
don't know how to run SPF or rDNS or it cost to much money to upgrade your
MTA all the time to conform. All the service providers want to host these
services as they are money making ventures. Plus, many service providers
are limiting ports on broadband circuits now so that hosts can only send
traffic to the service provider's MTA's and no others. This effectively
forces the end consumer to use the service provider's MTA's - I am not sure
how I feel about this one yet. So far, there have been opt out options so
for those in the know they simply opt out and things work as expected.

Thoughts?

Ed Horley
Microsoft MVP - Server Networking
 
Frank,
Hope you found the links some interesting reading.
Click to expand...

Yes, this one was very good:
Frank,
Please read RFC 2505 (http://www.faqs.org/rfcs/rfc2505.html)
Click to expand...

I read it all. Almost gave me a headache! :)

It is pretty obvious that due to the fact that the original SMTP standards
were created when "everybody trusted everybody" (like most Internet
standards), we are in a real pickle now.

The pickle I'm in is deciding which is worse; being occasionally identified
as a spammer because I don't have reverse lookup configured or accepting
more spam into my own system because I do. What a dilemma. :)

Thanks for all your effort. I do appreciate it. Lots to think about now :)

-Frank
 
Frankster said:
The pickle I'm in is deciding which is worse; being occasionally
identified as a spammer because I don't have reverse lookup
configured or accepting more spam into my own system because I do. What a
dilemma. :)
Click to expand...

The main concern is not being able to send mail to certain (possibly many)
domains. Many installations are refusing mail if you don't have a reverse
zone. I have all my clients set to refuse mail if the reverse test fails.
Unfortunate. No one trusts no one out there anymore.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================
 
"Ace Fekay [MVP]"
The main concern is not being able to send mail to certain (possibly many)
domains. Many installations are refusing mail if you don't have a reverse
zone. I have all my clients set to refuse mail if the reverse test fails.
Unfortunate. No one trusts no one out there anymore.
Click to expand...

The reverse lookup isn't going to cause you more spam.

The MX records might.
 
Herb said:
The reverse lookup isn't going to cause you more spam.

The MX records might.
Click to expand...

No the reverse record won't, but I'm saying it's one of the tests that
anti-spam software will make.

Ace
 
Back
Top