Shouldn't a DNS and ReDNS lookup match?
Barry Margolin
barmar at alum.mit.edu
Mon Feb 23 22:33:58 UTC 2004
In article <c1dl16$12ag$1 at sf1.isc.org>, Chip Mefford <cpm at well.com>
wrote:
> Dagwood Bumstead wrote:
> > I have a situation where a mail from our host is being refused by
> > another mail host.
>
> You could ask the postmaster of the mail host in question to
> place an allow in their access.db (assuming they are running
> sendmail). This won't solve the overall problem.
>
> > When running a DNS against our host name, the IP is returned
> > correctly. But when running a reverse DNS for the IP address, our
> > uplink provider is returning a completely different host name ending
> > with their domain name instead of ours.
> >
> > They have said they can't change it.
>
> Nonsense.
> Of course they can.
Perhaps it would be more correct for them to say that they *won't*
change it. It could be policy (perhaps you need to upgrade to a higher
level service to get this feature), or it could easily be limitations in
the software that they use to manage their DNS configuration files.
Anyway, AFAIK, there's no requirement for all A records to have
corresponding PTR records. It's quite common for multiple names to
resolve to the same address, but the PTR records will typically resolve
to just one of these names.
The other mail host is doing the wrong check. They should do a reverse
lookup of the incoming IP, then do a forward lookup of that name. If
this matches the incoming IP, then there's no reverse DNS spoofing going
on.
RFC 2821 says:
An SMTP server MAY verify that the domain name parameter in the EHLO
command actually corresponds to the IP address of the client.
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about verification
failure is for logging and tracing only.
I'm not even sure that the check they're performing is the type of
verification referred to, though. I think they're talking about doing a
forward lookup of the name, to see if it matches the incoming IP
address. However, there are some very common cases where this will
fail, particularly multi-homed hosts; the name given in the EHLO command
may correspond to one of its addresses, but not necessarily the one used
for that particular connection.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
More information about the bind-users
mailing list