[wplug] reverse DNS

Bill Moran wmoran at potentialtech.com
Tue Apr 6 20:23:36 EDT 2004 

Duncan Hutty wrote:
> Comcast's Broadband Business Services just told me that they will not make a
 > reverse DNS entry for me.

Why doesn't that surprise me?

> I admit that I not a networking wizard yet, but if I understand things correctly,
 > my ISP, by whom I am assigned my permanent IP addresses, has to have reverse DNS
 > entries for any mail server (and possibly other services?) that I wish to run or
 > my users' mail will be rejected by any sensible admin?

Does your mailserver have _any_ PTR record?

I don't know of any mailserver that will reject your for having a PTR record that
doesn't match your forward DNS record.  There are three basic tests that are
commonly done:

1) Does the hostname as provided on the HELO line resolve? (doesn't matter what to,
    just as long as it resolves to something)
2) Does the IP of the server have a PTR record?  (Doesn't matter what it is, just
    as long as it's there)
3) Does the hostname that comes back from a PTR lookup resolve forward?  (I don't
    know of anyone that even checks this with #2, they're just checking to make
    sure _something_ is there)

#1 and #2 are very common.  #3 is less common, but I use it, and there are others
that do as well (it's a config option in Postfix, for example).

While administrators are free to hack their mailservers to do whatever tests they
want, the three above are the strictest I've seen so far.  If you can pass those
three, you're probably in good shape with 99.9% of the mailservers out there.

Last I checked, Comcast _did_ have PTR records for all their IPs.  Even if these
PTR records resolve to things like ip24-35-76-82.rev.comcast.net, it's usually
still enough to make mailservers happy.

Check out my mailserver, for example.  mail.potentialtech.com resolves to 66.167.251.6,
but 66.167.251.6 has a PTR record to h-66-167-251-5.phlapafg.covad.net ... I've never
been bounced on account of DNS.

> Has anyone else run afoul of Comcast in this way?

Not in this way, but every time I run near Comcast it's afoul.

> Is there a solution using a dynamic DNS service?

PTR records are hard because Comcast got the delegation for them when they secured
the IP block.  There are basically 2 choices from there:
1) Comcast puts in a PTR record for you
2) Comcast delegates the PTR record to your DNS server

If they're not willing to do either, you're pretty much stuck.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list