[Mimedefang] OT: DNS sanity check
Les Mikesell
les at futuresource.com
Thu Jul 5 13:17:25 EDT 2007
Kris Deugau wrote:
> Matching the initial name->IP lookup to the resulting reverse lookups
> isn't what's usually checked; it's matching the reverse lookup with the
> resulting name. AFAIK this is exactly what sendmail is complaining
> about with its "may be forged" warning.
So any virus-infested spam-sending home box will pass this test as long
as the ISP provides a DNS name and PTR record entirely unrelated to the
domain the box might claim to be in?
> Along the same lines, but with a single IP returned from the initial
> lookup (from DNS records from the ISP I work for):
>
> [kdeugau at turboprop ~]$ host virtual.webhart.net
> virtual.webhart.net has address 209.91.179.3
> [kdeugau at turboprop ~]$ host 209.91.179.3
> 3.179.91.209.in-addr.arpa domain name pointer zeus.webhart.net.
> [kdeugau at turboprop ~]$ host zeus.webhart.net
> zeus.webhart.net has address 209.91.179.3
> [kdeugau at turboprop ~]$
>
> This is entirely logical and consistent; while a host may have many,
> MANY names that resolve to (one of) its IP(s), the name returned from
> the *reverse* lookup SHOULD (in the RFC sense) match the forward lookup
> for that name. (I honestly can't imagine a scenario in which you would
> want to break this, myself.)
In what scenario is this information useful, if it isn't related to any
name claimed by the box itself? You are likely to be testing a NAT
gateway address, anyway.
--
Les Mikesell
lesmikesell at gmail.com
More information about the MIMEDefang
mailing list