domain blocking for DNS

Gerald Combs gerald at ethereal.com
Thu May 8 22:02:32 CDT 2003 

On Thu, 8 May 2003 admin at kclinux.net wrote:

> After almost a week, I'm still waiting for the ISP's my clients use to give
> me documentation or a link to the security vulnerabilities that reverse DNS
> causes.  
> 
> Does anyone here know of any?

Provided the reverse DNS entry matches a legitimate forward entry, there
aren't any.  In fact, quite the opposite is true.  Matching forward and
reverse DNS is one of the "minor" details that's part of due diligence.

Part of the problem is that it's easy to delegate reverse DNS for networks
whose mask is a multiple of 8 (e.g. an entire /24), but it has
traditionally been a major pain to delegate anything else (e.g. a /27 or a
/22).  This has changed with the introduction of BIND 8 and 9 (which
support RFC 2317-style delegation), but it's still a pain with other
software (e.g. Windows NT and 2000's DNS).

My guess is that the person or persons administering reverse DNS were
either lazy, uninformed, or had software that made the job difficult.
"Security" was their BOFH excuse-of-the-day.

> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net] On Behalf Of Hanasaki JiJi
> Sent: Thursday, May 08, 2003 11:28 AM
> To: List - KCLUG
> Subject: domain blocking for DNS
> 
> Adding a parallel thread to "domain blocking due to spam".
> 
> Some of you might have noticed a msg sent to me via the list becuase the 
> sender was being bounced when sent directly.  I recently added a 
> configuration to my mailserver to reject connections from sources that 
> do not have forward/reverse DNS setup.
> 
> This resulted in alot of rejections from ligitimate companies and 
> induviduals!  It was put into place becuase some spam seems to come from 
> telnet sessions on an IP that has no DNS / ReverseDNS entry.
> 
> Do you folks think it is reasonable to expect admins to have both DNS 
> and ReverseDNS propperly configured?  at least for their outgoing 
> mailserver?
> 
> Thanks
> 
> 
> 
> 
> 
> 
>

More information about the Kclug mailing list