[Pdns-users] Reverse Lookup zone subnetted

[Brian Candler]

On 19/07/2019 16:15, bryantz-pdns at zktech.com wrote:
> Thank you again for your response, and also thank you for yesterday 
> pointing me to the support in open policy for the group.
> Currently I don't have any evidence as I have not done the packet 
> captures.
>
> Two of the three outside parties complaining claim their servers look 
> up the authoritative name servers for the domain in the email address 
> and then their systems dig for reverse lookup against these name servers.
>
That makes no sense whatsoever.  The nameservers hosting reverse DNS for 
an address block need not be - indeed often are not - the nameservers 
hosting the forward domain.

If they are doing what they describe (which I don't believe), then not 
only is it totally broken, they would have had to write custom code to 
implement this broken behaviour.  I think you're probably getting 
garbled information.

I presume though that the ultimate problem was that you were getting 
some bounces to E-mails.  Do you have any captures of those, i.e. the 
5xx response line which the remote mailserver returned?


> My guess is our previous servers were running bind and look like they 
> may have allow recursive lookups for any requests to the reverse zones.

If you were running an "open" recursor - one that accepts recursive 
queries from networks that you don't control - then you were open to 
huge abuse, e.g. you could have been used as a DoS amplifier.

In any case, recursive nameservers don't set the "Recursion Desired" 
flag when making queries to authoritative nameservers.