![[Company Logo Image]](../images/DWHonda.jpg)
"A space for AD, Exchange and other technical stuff"
-- Where Information Technology Lives! --
|
"A space for AD, Exchange and other technical stuff"
-- Where Information Technology Lives! --
|
|
|
OK, its summer time and the bike is just crying to be ridden. As you may know, summertime in the northeast can be a little short, so you ride ‘em when you can. But, between the day job, the night job, and the “is THAT really my job” job, the days are just too short.
And what’s with the streaks that happen in life? I haven’t encountered any real serous DNS issues since I’ve been doing this technical “fun stuff”. Now, suddenly, I’m spending more time at www.dnsstuff.com than on my Honda. And it’s not just me; take a look at the Microsoft message boards. It’s DNS this, reverse DNS that. I’m having nightmares about giant PTR records falling and flattening the Shadow.
Didn’t you hear me….its summer time.
So what’s this Reverse DNS that’s giving me so much heart ache? And why now? Did I mention its summer time! So in light of my recent events, I’ve thrown together a little Reverse DNS primer for those of you who haven’t been as lucky as I. Hopefully you can read this and understand the reverse DNS lookup. I’m going to assume if you’re reading this, it’s because you’re having some DNS Woo’s. I really am sorry, and I’ll do my best to help.
Reverse DNS is a sort of email security technique. No its doesn’t prevent all that spam, and it doesn’t make hackers run for the hills, but it does show with some degree of reliability that you are who you say the email you’re sending is who the email your sending is coming from. WHAT?? Not to clear?? Well, I’ll simplify it.
According to http://www.dnsstuff.com/info/revdns.htm, Reverse DNS turns an IP address into a hostname -- for example, it might turn 192.0.2.25 into host.example.com. Reverse DNS (rDNS) is in theory, is a method of resolving an IP address into a domain name. As the name would imply, the domain name system (DNS) resolves domain names into IP addresses.
The reason many email suppliers are using rDNS is spam. One of the reasons fo reverse DNS is as a spam filter. That’s because a typical spammer will use an invalid IP address, one that doesn't match their (or any) domain name. A reverse DNS lookup program inputs IP addresses of incoming messages to a DNS database. If no valid name is found to match the IP address, the server blocks that message.
There are a couple reasons why rDNS is not a final “SPAM” solution. First, it can sometimes blocks valid e-mail. A number of problems, including network delays and improperly configured networks or servers, can prevent legitimate messages from getting through the filter. Also it doesn’t block spammers with a real IP address or using a forwarder with a real IP address.
The mechanics is pretty simple. Take a normal A record and a normal MX record. Together, these records allow you to receive email. The A record points to your mail server. Usually something like
Mail.mycompany.com 192.x.x.x
Then take your normal MX record. Usually something like
Mycompany.com Mail.mycompany.com
You should be able to pick out of this that the MX record points the domain to the server name and the A record points the server name to the IP address. This tells other mail servers; send the mail for mycompany.com to 192.x.x.x. rDNS then points the IP address to the server name.
So the reverse DNS lookup application checks and sees if this IP address is real. It checks to make sure a registered server is the one who is sending the mail, and not a spammer using a fake IP address. How this works depends on the reverse lookup. There are different ways to applications perform a reverse lookup.
One way is to simply perform a lookup to see if there is a host record for the IP address the mail is coming from. With some lookups you can have several email servers serving mail and as long as the A record for the domain is real, you’re ok. Others however, need to see that the mail is coming from the same IP that the A records point to.
The problem here is if you have 100 mail servers serving up mail, you’ll need 100 PTR records and 100 A records that match. When I say match, if mail1 sends mail and a reverse lookup is done, the A record for mail1.mycompany.com better match the PTR record for the IP of that server. Seems pretty simple, but as IP addresses and server names change, you better change all the associated records. Start adding round robin DNS, multiple domain names, cname records and multiple hosting and you can see how this can get just a little complicated.
So if you just need to send email, but you can’t because you need to pass the reverse DNS lookup test, here is what you need to do.
Usually your ISP will hold the authority for the PTR record for the reverse lookup zone, unless you own a whole class block of Addresses. The ISP may need to either create a PTR record or point to your DNS server for that record if you have the authoritative DNS server for the reverse lookup zone.
Other References: http://support.microsoft.com/default.aspx?scid=kb;en-us;164213 http://www.saas.nsw.edu.au/solutions/dns.html http://www.mailmsg.com/smtp.htm http://blogs.technet.com/exchange/archive/2005/07/18/407838.aspx http://www.computerperformance.co.uk/exchange2003/exchange2003_SMTP_TS.htm http://www.msexchange.org/tutorials/SMTPDIAGdiagnose-Exchange-2003-SMTP-DNS.html |
|
|