Request reverse dns mapping advice

Bob Harold rharolde at umich.edu
Tue Sep 6 15:01:09 UTC 2016 

On Tue, Sep 6, 2016 at 1:39 AM, Dave Warren <davew at hireahit.com> wrote:

> On Mon, Sep 5, 2016, at 09:46, John Levine wrote:
> > >1.  pick a primary domain from the list of virtual hosts (example2.com)
> > >2.  use the "real" host name of the server (juvat.example1.com)
> > >3.  the mail server name (mail.example1.com)
> > >4.  the dns server name (ns2.example1.com)
> > >5.  another domain from the virtual hosts list (example 3.com)
> >
> > Publish a PTR with the mail server name, forget about the rest of
> > them.
> >
> > On today's Internet, you want your mail server to EHLO with a name
> > that has matching forward and reverse DNS with the server's IP.  If
> > you don't, you look unnecessarily like a spambot.
> >
> > Everyone knows that web servers and DNS servers have multiple names,
> > and neither should be sending unsolicited traffic, so matching rDNS
> > doesn't matter.
>
> Perhaps I'm old fashioned, but I like to see things done "correctly",
> and rDNS is one of those things that shows a competent host who worries
> about getting the details right, vs a host who has no technical skills
> or knowledge and does the bare minimum. Does it make for an operational
> difference? Not really. But it does make it obvious what entity is
> responsible for a machine and I feel that that's important.
>
> Personally, I set valid and correct names that identify me (the host) on
> machines under my control, whether or not they're intended to make
> outbound connections (and web servers do). If an IP is dedicated to a
> specific client then I'll consider what makes the most sense, but
> generally I do assign the client's rDNS to a dedicated IP.
>
> With that being said, I'd do something like ns2.example.com, or
> web.juvat.example.com, or whatever is appropriate within your normal
> naming scheme.
>
> > Opinions vary on how well it works to return multiple PTRs.  My
> > advice is don't borrow trouble you don't need.
>
> I agree on this point. Even if it works with only a few PTRs (and it
> mostly will, as long as each PTR has a matching and valid A/AAAA
> record), what will happen when you have dozens of domains?
>
> I agree with one PTR per IP.  But since you have 5 IP's, you can have one
PTR record on each, just be sure there is a matching forward "A" record.
Your list of 5 names looks good, but only if each service uses the
corresponding IP for its outgoing connections, which could be difficult or
not the most efficient.  (What is missing here is why 5 IP's - parallel for
more traffic, connections to different Internet providers, ...?)

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160906/a475295d/attachment.html>

More information about the bind-users mailing list