Firewall DNS reverse- forward lookup
Roger Ward
roger.ward at national-net.com
Thu Jan 1 16:07:18 UTC 2004
You are thinking backwards. It is reverse-forward, not
forward-reverse-forward that matters.
The reverse lookup's hostname must match a forward lookup for that IP.
Our mail servers, for instance, are mx1.mail.hostname.com, etc. The round
robin hostname for them is mx-rr.mail.hostname.com (and we have mx1 mx2
and mx3 sitting as round robin entries underneath that DNS record).
I don't use your firewall, but I have run across software which blocks
based on broken dns.
Make sure the PTR record for the IP address also has an A record with the
SAME IP address.
-Roger
>
>
> Hello all,
>
> WE are having an issue with our Raptor firewall dropping packets because
> of a reverse - forward lookup fails. Here is the log and a link to why
> raptor logs it:
>
> "mw203.mail2world.com 66.28.189.203: reverse address 66.28.189.80
> doesn't match -- denied"
>
> http://www.firetower.com/faqs/logfiles/dnserrors.html
>
> My questions is : Is this a valid security check (reverse-forward)? Is
> there a problem with mail2world.com's DNS setup? Is Raptors' rule to
> just drop these connections valid? How would such a rule handle
> round-robin, where a forward lookup can return a a different IP? Or a
> number of IP's? Do any of you have any experience with this? TIA And
> happy new Year!!!.
>
>
>
>
>
>
More information about the bind-users
mailing list