LiveZilla Live Chat Software

Reverse DNS checking: Is it safe to use?

Written by Yves Lacombe on . Posted in Best Practices

Every time I do a setup with a customer, the question always comes up: Should we use Reverse DNS checking or not when configuring connection-level blocking security measures?

What is reverse DNS lookup?

Here’s a snippet taken from Wikipedia’s description:

“Reverse DNS lookups for IPv4 addresses use a reverse IN-ADDR entry in the special domain in-addr.arpa. In this domain an IPv4 address is represented as a sequence of bytes in reverse order, encoded as decimal numbers and separated by dots (full stop) with the second level domain suffix .in-addr.arpa.”

For example, an address (A) record for mail.example.com points to the IP address 192.0.2.5. In pointer records of the reverse database, this IP address is stored as the domain name 5.2.0.192.in-addr.arpa pointing back to its designated host name mail.example.com.”

So, when a DNS server tries to resolve your IP address, it looks up your IP in reverse notation with the suffix .in-addr.arpa to find the associated host name.

What an MTA usually does then is to see if they match in both directions:

mail.example.com -> 192.0.2.5
should also match the other way around:
192.0.2.5 -> mail.example.com

This is called the “Forward Confirmed Reverse DNS.”

So, should we use it?

In 1996, RFC 1912 stipulated that every host should have a reverse PTR record.  Section 2.1 of this RFC states: “Make sure your PTR and
A records match.  For every IP address, there should be a matching PTR record in the in-addr.arpa domain.”

In other words, all your public-facing machines should have a reverse PTR record, including your MTA.

This being said, not every admin followed suit when the RFC came out, nor for several years after its publication.  Furthermore, in the early years of using anti-spam tools, using reverse DNS lookups was usually a bad idea due to the number of MTAs that didn’t have a PTR record.

These days, however, it has become much safer to use the reverse lookup as an anti-spam measure because if you DO NOT have a PTR record of your own, you will inevitably run into delivery problems – even to very large ISPs and Mail hosting companies – who DO check reverse DNS.

So, if the large mail providers are using it, there shouldn’t be any reason why you can’t.

As a precaution though, if you’re worried about what might get rejected at the connection level, most anti-spam gateways can quarantine messages whose source is missing a proper reverse DNS entry.

Trackback from your site.

Yves Lacombe

Yves Lacombe

Yves Lacombe has been working on Internet Infrastructure products for over 15 years. He is an Internet Security expert and one of his company's gurus. He has forgotten more things about Email Security than most people will ever know. He runs numerous heavily secured email servers and is constantly getting in trouble while trying to hack into his company's products. Yves has two mottos that he lives by: “The buck stops here” and “Lets just get the job done”.

Comments (1)

  • u.to

    |

    This is the right site for anybody who wishes to understand this topic.

    You understand so much its almost tough to argue
    with you (not that I actually will need to…HaHa).
    You certainly put a new spin on a subject which has been discussed for a long time.

    Excellent stuff, just wonderful!

    Reply

Leave a comment

Whitepaper Downloads

  • Spam Industry terms
  • Antispam checklists
  • Tips and tricks
  • In depth research analysis

Download

Customer Quote

Our needs and expectations are being exceeded by Vircom.

    Kim Atwter
    Baca Valley Telephone Company