[Mimedefang] OT: DNS sanity check

Kris Deugau kdeugau at vianet.ca
Thu Jul 5 10:38:19 EDT 2007 

Les Mikesell wrote:
> You mean things like this:
> 
> nslookup mailin-03.mx.aol.com
> 
>   Name:   mailin-03.mx.aol.com
>   Address: 64.12.138.153
>   Name:   mailin-03.mx.aol.com
>   Address: 205.188.157.217
>   Name:   mailin-03.mx.aol.com
>   Address: 64.12.138.120
> 
> nslookup 64.12.138.153
>  153.138.12.64.in-addr.arpa      name = mg.mx.aol.com.
> nslookup 205.188.157.217
>  217.157.188.205.in-addr.arpa    name = yc.mx.aol.com.
> nslookup 64.12.138.120
>  120.138.12.64.in-addr.arpa      name = mf.mx.aol.com.
> 
> Does that fit the much-touted best practices model?

Actually, you forgot the last step:

[kdeugau at turboprop ~]$ host mg.mx.aol.com
mg.mx.aol.com has address 64.12.138.153
[kdeugau at turboprop ~]$ host yc.mx.aol.com
yc.mx.aol.com has address 205.188.157.217
[kdeugau at turboprop ~]$ host mf.mx.aol.com
mf.mx.aol.com has address 64.12.138.120
[kdeugau at turboprop ~]$

Matching the initial name->IP lookup to the resulting reverse lookups 
isn't what's usually checked;  it's matching the reverse lookup with the 
resulting name.  AFAIK this is exactly what sendmail is complaining 
about with its "may be forged" warning.

Along the same lines, but with a single IP returned from the initial 
lookup (from DNS records from the ISP I work for):

[kdeugau at turboprop ~]$ host virtual.webhart.net
virtual.webhart.net has address 209.91.179.3
[kdeugau at turboprop ~]$ host 209.91.179.3
3.179.91.209.in-addr.arpa domain name pointer zeus.webhart.net.
[kdeugau at turboprop ~]$ host zeus.webhart.net
zeus.webhart.net has address 209.91.179.3
[kdeugau at turboprop ~]$

This is entirely logical and consistent;  while a host may have many, 
MANY names that resolve to (one of) its IP(s), the name returned from 
the *reverse* lookup SHOULD (in the RFC sense) match the forward lookup 
for that name.  (I honestly can't imagine a scenario in which you would 
want to break this, myself.)

You can, in theory, return multiple PTR records, but most references 
I've seen consider that useless *at best*, because so many systems 
ignore all but one entry (usually the first one returned).

-kgd

More information about the MIMEDefang mailing list