Search Again: Re: "Non-existent host/domain"? From: lshastings@mac.com Date: Friday, October 4, 2002 Time: 7:01:47 am Len, thanks so much for your advice. I need more! "Feed me!" Your rule ["The PTR hostname and that hostname's A record must match."] is a good one, but I think I'm having trouble following it. When I perform your test from within my network, I get the this: [Theressa-Lyonss-Computer:~] admin% dig -x 216.253.208.2 ; <<>> DiG 8.3 <<>> -x ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; 2.208.253.216.in-addr.arpa, type = ANY, class = IN ;; ANSWER SECTION: 2.208.253.216.in-addr.arpa. 1D IN PTR mail.hastings.com. So I then lookup the name (mail.hastings.com) returned in the answer section: [Theressa-Lyonss-Computer:~] admin% dig mail.hastings.com ; <<>> DiG 8.3 <<>> mail.hastings.com ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; mail.hastings.com, type = A, class = IN ;; ANSWER SECTION: mail.hastings.com. 0S IN A 192.168.0.2 So (somehow) the internal address for the server is returned. The name and the PTR don't match, and so the "rule" is broken. What's worse is when I run the same test outside the network! Here's what happens: [B-W-G3:~] lsh% dig mail.hastings.com ; <<>> DiG 8.3 <<>> mail.hastings.com ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; QUERY SECTION: ;; mail.hastings.com, type = A, class = IN ;; ANSWER SECTION: mail.hastings.com. 5h20m26s IN CNAME dns.hastings.com. dns.hastings.com. 5h20m27s IN A 216.253.208.2 ;; AUTHORITY SECTION: hastings.com. 23h36m9s IN NS ns1.espire.net. hastings.com. 23h36m9s IN NS ns2.espire.net. hastings.com. 23h36m9s IN NS ns3.espire.net. hastings.com. 23h36m9s IN NS dns.hastings.com. ;; ADDITIONAL SECTION: ns1.espire.net. 1d16h58m19s IN A 206.222.97.82 ;; Total query time: 28 msec ;; FROM: B-W-G3.local. to SERVER: default -- 24.93.35.32 ;; WHEN: Fri Oct 4 08:23:49 2002 ;; MSG SIZE sent: 35 rcvd: 163 [B-W-G3:~] lsh% dig mail.hastings.com@dns.hastings.com ; <<>> DiG 8.3 <<>> mail.hastings.com@dns.hastings.com ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; mail.hastings.com\@dns.hastings.com, type = A, class = IN ;; AUTHORITY SECTION: hastings.com. 3H IN SOA dns.hastings.com. scott.hastings.com. ( 2002100403 ; serial 1H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum ;; Total query time: 80 msec ;; FROM: B-W-G3.local. to SERVER: default -- 24.93.35.32 ;; WHEN: Fri Oct 4 08:24:49 2002 ;; MSG SIZE sent: 52 rcvd: 98 So I get no answer to a query for the IP of mail.hastings.com. What do I do? On Friday, Oct 4, 2002, at 06:46 US/Pacific, Len Conrad wrote: > Here is a general DNS rule for all machines sending mail to Internet: > > The PTR hostname and that hostname's A record must match. Example of > how to do it: > > # dig -x 217.151.160.9 > > ; <<>> DiG 9.2.1rc2 <<>> -x 217.151.160.9 > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30572 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;9.160.151.217.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 9.160.151.217.in-addr.arpa. 86352 IN PTR smtp.mmedia.is. > > the query for the A record: > > # dig smtp.mmedia.is. > > ; <<>> DiG 9.2.1rc2 <<>> smtp.mmedia.is. > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7519 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;smtp.mmedia.is. IN A > > ;; ANSWER SECTION: > smtp.mmedia.is. 86400 IN A 217.151.160.9 > > > There is a list of 4000+ domains of frequently forged > > MAIL FROM:<user@sender.domain> > > where they forged domain has matching PTR + A records, so the > receiving mail server, when a remote ip alleges to be sending MAIL > FROM: one of these domains, can do the A + PTR queries, and if no > match, then reject the mail. > > That filter stops tons of forgeries @yahoo.com, @hotmail.com, > @aol.com, AND can also stop forgeries of your domain if you add your > name to the list. > > Another example of how DNS can facilitate your own mail being > delivered and help validate others' mail being delivered to your > server. > > Another example of how not setting up your forward and reverse zones > scrupulously will sooner or later bite you. > > Len > >

Messages In This Thread: "Non-existent host/domain"? by lshastings@mac.com on Oct 4, 2002 at 1:19:08 am Re: "Non-existent host/domain"? by Len Conrad on Oct 4, 2002 at 5:30:11 am Re: "Non-existent host/domain"? by Len Conrad on Oct 4, 2002 at 5:52:15 am Re: "Non-existent host/domain"? by lshastings@mac.com on Oct 4, 2002 at 6:15:06 am Re: "Non-existent host/domain"? by Len Conrad on Oct 4, 2002 at 6:40:16 am Re: "Non-existent host/domain"? by lshastings@mac.com on Oct 4, 2002 at 7:01:47 am Re: "Non-existent host/domain"? by Len Conrad on Oct 4, 2002 at 7:13:22 am Re: "Non-existent host/domain"? by Len Conrad on Oct 4, 2002 at 7:34:37 am