[Pdns-users] Reverse Lookup zone subnetted

[Brian Candler]

On 19/07/2019 16:00, Brian Candler wrote:
> On 19/07/2019 15:52, bryantz-pdns at zktech.com wrote:
>> Where we are getting into issues is that customers we host e-mail 
>> servers for are having issues as some email service providers appear 
>> to be forcing their reverse lookups directly against our powerdns 
>> servers.
>
> Can you provide your evidence for that assertion?  Do you have packet 
> captures?
>
> I can't see any way they could know about your nameservers, unless 
> they followed the in-addr.arpa delegation which ended up with your CNAME. 

However, the fact that you have two PTR records could certainly be 
confusing them.  And I *would* expect them to do a forward lookup after 
the reverse lookup, so you'll see that arriving at your nameservers.

That is, the sequence is:

1. Remote server accepts an inbound connection from 65.183.176.179

2. They do a reverse lookup on this IP address, and get the name 
"mail.granddial.com" (say)

3. They do a forward lookup on this name, and get IP address 65.183.176.179

4. They check that this matches the original IP address.  This is what 
prevents you from forging your PTR records; otherwise, you could just 
put in a PTR record pointing at "whitehouse.gov" for example.

5. If the forward and reverse don't match, paranoid servers will drop 
the connection, or mark your mail as spam.

You have a much better chance of this working if you have a *single* PTR 
record for that IP address. Pick whichever name you consider to be the 
"main" name of the mail server, and use that.

You are astill llowed to have many different forward records pointing to 
IP address 65.183.176.179; there's no problem with that.  You just want 
the reverse record to point to a single name, and that name also to 
point to 65.183.176.179.

HTH,

Brian.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190719/ecfd0f48/attachment.html>