[Pdns-users] Reverse Lookup zone subnetted
b.candler at pobox.com
Fri Jul 19 15:05:14 UTC 2019
On 19/07/2019 16:00, Brian Candler wrote:
> On 19/07/2019 15:52, bryantz-pdns at zktech.com wrote:
>> Where we are getting into issues is that customers we host e-mail
>> servers for are having issues as some email service providers appear
>> to be forcing their reverse lookups directly against our powerdns
> Can you provide your evidence for that assertion? Do you have packet
> I can't see any way they could know about your nameservers, unless
> they followed the in-addr.arpa delegation which ended up with your CNAME.
However, the fact that you have two PTR records could certainly be
confusing them. And I *would* expect them to do a forward lookup after
the reverse lookup, so you'll see that arriving at your nameservers.
That is, the sequence is:
1. Remote server accepts an inbound connection from 188.8.131.52
2. They do a reverse lookup on this IP address, and get the name
3. They do a forward lookup on this name, and get IP address 184.108.40.206
4. They check that this matches the original IP address. This is what
prevents you from forging your PTR records; otherwise, you could just
put in a PTR record pointing at "whitehouse.gov" for example.
5. If the forward and reverse don't match, paranoid servers will drop
the connection, or mark your mail as spam.
You have a much better chance of this working if you have a *single* PTR
record for that IP address. Pick whichever name you consider to be the
"main" name of the mail server, and use that.
You are astill llowed to have many different forward records pointing to
IP address 220.127.116.11; there's no problem with that. You just want
the reverse record to point to a single name, and that name also to
point to 18.104.22.168.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pdns-users