Firewall DNS reverse- forward lookup

admjcd admjcd at volpe.dot.gov
Fri Jan 2 15:37:17 UTC 2004 

Thanks,

   As Howard pointed out. This raptor rule can cause some false positives and reject legitimate email just because someone misconfigured their DNS. This rule seems a little too judgmental for me. I would rather keep all the mail flowing and I am not sure this rule protects us from any realthreat? I am absolutely no good at nslookup with all of the advanced DNS configurations out there. Can any one tell if mail2world.com has a misconfigured DNS or if this rule may be returning a false positive? I used the rdns at samspade.org and it returns several IP addresses.  But again I am not sure what I am doing with nslookup!
  If I can show that this rule is returning a false positive I can have a case to get this rule turned off.

Thanks again everyone!

-----Original Message-----
From: Roger Ward [mailto:roger.ward at national-net.com] 
Sent: Thursday, January 01, 2004 11:07 AM
To: admjcd
Cc: 'comp-protocols-dns-bind at isc.org'
Subject: Re: Firewall DNS reverse- forward lookup


You are thinking backwards.  It is reverse-forward, not forward-reverse-forward that matters.

The reverse lookup's hostname must match a forward lookup for that IP. 
Our mail servers, for instance, are mx1.mail.hostname.com, etc.  The round robin hostname for them is mx-rr.mail.hostname.com (and we have mx1 mx2 and mx3 sitting as round robin entries underneath that DNS record).

I don't use your firewall, but I have run across software which blocks based on broken dns.


Make sure the PTR record for the IP address also has an A record with the SAME IP address.


-Roger


>
>
> Hello all,
>
>   WE are having an issue with our Raptor firewall dropping packets 
> because of a reverse - forward lookup fails. Here is the log and a 
> link to why raptor logs it:
>
>   "mw203.mail2world.com 66.28.189.203: reverse address 66.28.189.80 
> doesn't match -- denied"
>
>  http://www.firetower.com/faqs/logfiles/dnserrors.html
>
>   My questions is :  Is this a valid security check (reverse-forward)?  
> Is there a problem with mail2world.com's DNS setup? Is Raptors' rule 
> to just drop these connections valid?  How would such a rule handle 
> round-robin, where a forward lookup can return a a different IP? Or a 
> number of IP's?  Do any of you have any experience with this?  TIA  
> And happy new Year!!!.
>
>
>
>
>
>

More information about the bind-users mailing list