Firewall DNS reverse- forward lookup
Barry Margolin
barmar at alum.mit.edu
Thu Jan 1 07:49:41 UTC 2004
In article <bt0ggd$2ok6$1 at sf1.isc.org>, admjcd <admjcd at volpe.dot.gov>
wrote:
> Hello all,
>
> WE are having an issue with our Raptor firewall dropping packets because of
> a reverse - forward lookup fails. Here is the log and a link to why raptor
> logs it:
>
> "mw203.mail2world.com 66.28.189.203: reverse address 66.28.189.80 doesn't
> match -- denied"
>
> http://www.firetower.com/faqs/logfiles/dnserrors.html
>
> My questions is : Is this a valid security check (reverse-forward)? Is
> Raptors' rule to just drop these connections valid? How would such a rule
It's probably not a good idea to drop them in all cases, because many
sites don't have their reverse DNS set up properly, but it can be useful
to drop them in particular rules, like incoming SMTP.
> handle round-robin, where a forward lookup can return a a different IP? Or
> a number of IP's? Do any of you have any experience with this? TIF so
> much if you do!! And happy new Year!!!.
The right thing for them to do is use multiple names -- one generic name
that round-robins to all the addresses in the cluster, and another name
that's unique to each address. The latter is the one that should be in
the reverse DNS.
In this case, they should have mw.mail2world.com that's used by the load
balancer, and then have matching forward and reverse lookups for
mw##.mail2world.com <-> 66.28.189.##.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
More information about the bind-users
mailing list