Shouldn't a DNS and ReDNS lookup match?

Barry Margolin barmar at alum.mit.edu
Mon Feb 23 22:33:58 UTC 2004 

In article <c1dl16$12ag$1 at sf1.isc.org>, Chip Mefford <cpm at well.com> 
wrote:

> Dagwood Bumstead wrote:
> > I have a situation where a mail from our host is being refused by
> > another mail host.
> 
> You could ask the postmaster of the mail host in question to
> place an allow in their access.db (assuming they are running
> sendmail). This won't solve the overall problem.
> 
> > When running a DNS against our host name, the IP is returned
> > correctly. But when running a reverse DNS for the IP address, our
> > uplink provider is returning a completely different host name ending
> > with their domain name instead of ours. 
> > 
> > They have said they can't change it.
> 
> Nonsense.
> Of course they can.

Perhaps it would be more correct for them to say that they *won't* 
change it.  It could be policy (perhaps you need to upgrade to a higher 
level service to get this feature), or it could easily be limitations in 
the software that they use to manage their DNS configuration files.

Anyway, AFAIK, there's no requirement for all A records to have 
corresponding PTR records.  It's quite common for multiple names to 
resolve to the same address, but the PTR records will typically resolve 
to just one of these names.

The other mail host is doing the wrong check.  They should do a reverse 
lookup of the incoming IP, then do a forward lookup of that name.  If 
this matches the incoming IP, then there's no reverse DNS spoofing going 
on.

RFC 2821 says: 

   An SMTP server MAY verify that the domain name parameter in the EHLO
   command actually corresponds to the IP address of the client.
   However, the server MUST NOT refuse to accept a message for this
   reason if the verification fails: the information about verification
   failure is for logging and tracing only.

I'm not even sure that the check they're performing is the type of 
verification referred to, though.  I think they're talking about doing a 
forward lookup of the name, to see if it matches the incoming IP 
address.  However, there are some very common cases where this will 
fail, particularly multi-homed hosts; the name given in the EHLO command 
may correspond to one of its addresses, but not necessarily the one used 
for that particular connection.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA

More information about the bind-users mailing list