Firewall DNS reverse- forward lookup
admjcd
admjcd at volpe.dot.gov
Fri Jan 2 15:37:17 UTC 2004
Thanks,
As Howard pointed out. This raptor rule can cause some false positives and reject legitimate email just because someone misconfigured their DNS. This rule seems a little too judgmental for me. I would rather keep all the mail flowing and I am not sure this rule protects us from any realthreat? I am absolutely no good at nslookup with all of the advanced DNS configurations out there. Can any one tell if mail2world.com has a misconfigured DNS or if this rule may be returning a false positive? I used the rdns at samspade.org and it returns several IP addresses. But again I am not sure what I am doing with nslookup!
If I can show that this rule is returning a false positive I can have a case to get this rule turned off.
Thanks again everyone!
-----Original Message-----
From: Roger Ward [mailto:roger.ward at national-net.com]
Sent: Thursday, January 01, 2004 11:07 AM
To: admjcd
Cc: 'comp-protocols-dns-bind at isc.org'
Subject: Re: Firewall DNS reverse- forward lookup
You are thinking backwards. It is reverse-forward, not forward-reverse-forward that matters.
The reverse lookup's hostname must match a forward lookup for that IP.
Our mail servers, for instance, are mx1.mail.hostname.com, etc. The round robin hostname for them is mx-rr.mail.hostname.com (and we have mx1 mx2 and mx3 sitting as round robin entries underneath that DNS record).
I don't use your firewall, but I have run across software which blocks based on broken dns.
Make sure the PTR record for the IP address also has an A record with the SAME IP address.
-Roger
>
>
> Hello all,
>
> WE are having an issue with our Raptor firewall dropping packets
> because of a reverse - forward lookup fails. Here is the log and a
> link to why raptor logs it:
>
> "mw203.mail2world.com 66.28.189.203: reverse address 66.28.189.80
> doesn't match -- denied"
>
> http://www.firetower.com/faqs/logfiles/dnserrors.html
>
> My questions is : Is this a valid security check (reverse-forward)?
> Is there a problem with mail2world.com's DNS setup? Is Raptors' rule
> to just drop these connections valid? How would such a rule handle
> round-robin, where a forward lookup can return a a different IP? Or a
> number of IP's? Do any of you have any experience with this? TIA
> And happy new Year!!!.
>
>
>
>
>
>
More information about the bind-users
mailing list