Firewall DNS reverse- forward lookup
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Fri Jan 2 15:54:39 UTC 2004
admjcd <admjcd at volpe.dot.gov> wrote:
> Thanks,
> As Howard pointed out. This raptor rule can cause some false positiv=
es and reject legitimate email just because someone misconfigured their D=
NS. This rule seems a little too judgmental for me. I would rather keep a=
ll the mail flowing and I am not sure this rule protects us from any real=
threat? I am absolutely no good at nslookup with all of the advanced DNS =
configurations out there. Can any one tell if mail2world.com has a miscon=
figured DNS or if this rule may be returning a false positive? I used the
rdns at samspade.org and it returns several IP addresses. But again I a=
m not sure what I am doing with nslookup!
> If I can show that this rule is returning a false positive I can have=
a case to get this rule turned off.
mail2world.com is broken all right.
A partial list :
- mail2world.com is delegated to :
;; ANSWER SECTION:
mail2world.com. 2D IN NS ns1.mail2world.com.
mail2world.com. 2D IN NS udns1.ultradns.net.
mail2world.com. 2D IN NS udns2.ultradns.net.
However, udns[12].ultradns.net. says :
;; ANSWER SECTION:
mail2world.com. 15M IN NS udns2.ultradns.net.
mail2world.com. 15M IN NS udns1.ultradns.net.
ns1.mail2world.com. has a totally diffening opinion :
;; ANSWER SECTION:
mail2world.com. 1D IN NS ns1.mail2world.com.
mail2world.com. 1D IN NS mwimap01la.mail2world.com.
where "mwimap01la.mail2world.com." has a bunch of 1918 addresses :
mwimap01la.mail2world.com. 1D IN A 10.1.1.101
mwimap01la.mail2world.com. 1D IN A 10.1.1.103
mwimap01la.mail2world.com. 1D IN A 10.1.1.104
mwimap01la.mail2world.com. 1D IN A 10.1.1.107
mwimap01la.mail2world.com. 1D IN A 10.1.1.108
mwimap01la.mail2world.com. 1D IN A 10.1.1.109
Serial numbers differs : udns1.ultradns.net has 2003122206
where ns1.mail2world.com. has 2003112237
SOA "retry" is equals "refresh
> Thanks again everyone!
Welcome.
> -----Original Message-----
> From: Roger Ward [mailto:roger.ward at national-net.com]=20
> Sent: Thursday, January 01, 2004 11:07 AM
> To: admjcd
> Cc: 'comp-protocols-dns-bind at isc.org'
> Subject: Re: Firewall DNS reverse- forward lookup
> You are thinking backwards. It is reverse-forward, not forward-reverse=
-forward that matters.
> The reverse lookup's hostname must match a forward lookup for that IP.=20
> Our mail servers, for instance, are mx1.mail.hostname.com, etc. The ro=
und robin hostname for them is mx-rr.mail.hostname.com (and we have mx1 m=
x2 and mx3 sitting as round robin entries underneath that DNS record).
> I don't use your firewall, but I have run across software which blocks =
based on broken dns.
> Make sure the PTR record for the IP address also has an A record with t=
he SAME IP address.
> -Roger
>>
>>
>> Hello all,
>>
>> WE are having an issue with our Raptor firewall dropping packets=20
>> because of a reverse - forward lookup fails. Here is the log and a=20
>> link to why raptor logs it:
>>
>> "mw203.mail2world.com 66.28.189.203: reverse address 66.28.189.80=20
>> doesn't match -- denied"
>>
>> http://www.firetower.com/faqs/logfiles/dnserrors.html
>>
>> My questions is : Is this a valid security check (reverse-forward)?=
=20
>> Is there a problem with mail2world.com's DNS setup? Is Raptors' rule=20
>> to just drop these connections valid? How would such a rule handle=20
>> round-robin, where a forward lookup can return a a different IP? Or a=20
>> number of IP's? Do any of you have any experience with this? TIA =20
>> And happy new Year!!!.
>>
>>
>>
>>
>>
>>
--=20
Peter H=E5kanson =20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out=
,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list