[Pdns-users] Reverse Lookup zone subnetted
b.candler at pobox.com
Fri Jul 19 15:59:19 UTC 2019
On 19/07/2019 16:15, bryantz-pdns at zktech.com wrote:
> Thank you again for your response, and also thank you for yesterday
> pointing me to the support in open policy for the group.
> Currently I don't have any evidence as I have not done the packet
> Two of the three outside parties complaining claim their servers look
> up the authoritative name servers for the domain in the email address
> and then their systems dig for reverse lookup against these name servers.
That makes no sense whatsoever. The nameservers hosting reverse DNS for
an address block need not be - indeed often are not - the nameservers
hosting the forward domain.
If they are doing what they describe (which I don't believe), then not
only is it totally broken, they would have had to write custom code to
implement this broken behaviour. I think you're probably getting
I presume though that the ultimate problem was that you were getting
some bounces to E-mails. Do you have any captures of those, i.e. the
5xx response line which the remote mailserver returned?
> My guess is our previous servers were running bind and look like they
> may have allow recursive lookups for any requests to the reverse zones.
If you were running an "open" recursor - one that accepts recursive
queries from networks that you don't control - then you were open to
huge abuse, e.g. you could have been used as a DoS amplifier.
In any case, recursive nameservers don't set the "Recursion Desired"
flag when making queries to authoritative nameservers.
More information about the Pdns-users