[wplug] Reverse DNS - PTR Record

Poyner, Brandon bpoyner at ccac.edu
Fri May 20 13:17:08 EDT 2005


Bill is right.  If you weren't given an entire class C network (/24 or
less) and you still want to be responsible for reverse DNS requests ask
Comcast for classless delegation.  

Brandon Poyner
Network Engineer III
CCAC - College Office
412-237-3086
 
-----Original Message-----
From: wplug-bounces+bpoyner=ccac.edu at wplug.org
[mailto:wplug-bounces+bpoyner=ccac.edu at wplug.org] On Behalf Of Bill
Moran
Sent: Friday, May 20, 2005 12:43 PM
To: General user list
Subject: Re: [wplug] Reverse DNS - PTR Record

"Ken Rambler" <ken at ramblernet.com> wrote:

> I'm not sure exactly how to ask this question, so I apologize in
> advance.
> 
> My question is related to the PTR record and reverse DNS of a public
IP
> address.
> 
> We operate a mail server and our own DNS server. The public business
IP
> (static) address is provided by our ISP, which is Comcast. The reverse
> DNS points back to their name, i.e.:
> 
> Asking NS1.COMCASTBUSINESS.NET. for xx.xxx.xx.xx.in-addr.arpa PTR
> record: Reports xx-xx-xxx-xx-pa.hfc.comcastbusiness.net
> Now the question: Shouldn't the reverse point back to our server name?
> Is this something we could override by adding an entry into our zone
> file?

Yes and no.

You could easily enter a PTR record in your DNS, however, that doesn't
mean the rest of the Internet will know to look for it there.

DNS is all about delegation, and the PTR information for your IP address
is delegated to Comcast, just like all the other PTR records on that
same subnet.

You have two choices:
1) Have Comcast enter the correct information in their DNS for your
   IP.
2) Have Comcast delegate that PTR record to your nameserver.

If you only have 1 IP, #1 will likely be easier.  But either way,
your ISP has the option of doing #1 or #2.

> The reason I question this is that our mail looks to be forged when
the
> server domain name does not match the reverse dns of our IP address.

Are you talking about this:

Received: from ns.ramblernet.com
	(70-89-224-37-Ken-Rambler-pa.hfc.comcastbusiness.net
	[70.89.224.37] (may be forged))

The fact that the HELO announcement doesn't match the PTR record is not
a valid test for forgery.  In fact, it won't match in most cases.  The
important thing is that ns.ramblernet.com _does_ resolve to
70.89.224.37,
and it does.

Unfortunately, however, Comcast gave you a PTR record that does not have
a valid A record, i.e.:

bash-2.05b$ host 70-89-224-37-Ken-Rambler-pa.hfc.comcastbusiness.net
Host 70-89-224-37-Ken-Rambler-pa.hfc.comcastbusiness.net not found:
3(NXDOMAIN)

Comcast has screwed up here.  There should not be PTR names that don't
have
a corresponding A record.

I'm not familiar enough with sendmail to know exactly what it uses as a
criteria for adding the "may be forged" line, but I know that a lot of
servers will bounce your mail if your PTR record returns an unknown
hostname.  I'd jump on Comcast to get that fixed, at least.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug




More information about the wplug mailing list