First, realize that security by obscurity never works. Second, you need reverse DNS for things like email gateways. A lot of people will block you if you do not have a reverse DNS enabled. Not using reverse DNS can also can break some protocols...
In short, your security policy should not be based on obscurity. In my opinion not using reverse DNS is a mistake.
Michael
Why might I benefit from have a reverse lookup record?
I know one school of thought it to not use a reverse entry to protect privacy.
Another is to have one, but why?
Thanks,
-Frank
I do the same thing as you do (but with linux). I have my domain as an alias to the real domain. For example:
my real (ISP controlled) domain is, say, hostx.isp.com. My domain is mydomain.com. In my DNS, I alias mydomain.com to hostx.isp.com. They of coarse have reverse dns setup. I have not had a problem with email. Ever. or anything else.
Michael
Yes, your example is sorta what I was worried about. However, also, I am running host headers on my IIS server. I can configure whatever public reverse DNS I like. Which one should I use. It occurs to me that since I have multiple domains pointing to the same static public IP of my server that I might as well flip a coin to decide what to configure. Considering that, what good is it?
I'm probably a little confused about this :) If you can help explain this to me I'd appreciate it.
I mean, do programs/services that check for reverse records simply check to see if there is such a domain? Not that it really matches that address? What if my mail server (multiple domains again) sends an email from snipped-for-privacy@domain1.com and the reverse lookup translates into domain2.com (still pointing to the same IP)? Is that a problem?
Thanks,
-Frank
Interesting. I've been running this setup for a few years. All the time I had a reverse configured. About two weeks ago I took it out (my ISP lets me do my own reverse DNS via a web interface - I also handle my own primary forward DNS online via a web interface from my registrar). Since I took out my reverse DNS I have not had any email problems either. I have sent test messages to a bunch of other mail servers without difficulty. However, I suppose I'll never know when one might cause me a problem. Or would I? Would I get a bounce and a rejection notice?
-Frank
Whether you have a reverse dns entry or not, others can find out who owns the block of IP addresses that you come from... that might be more than enough info to identify your ISP and to issue a court order if need be.
That said, there are many processes that may not accept an I-live-at-303-main-st-Minneapolis-apt-1202.......
etc
I for one block email (at work) from email servers that do not have reverse DNS. It is quite common. Not everyone does but, many do. I guess the question I have for you is what do you think you will get out by not having it? You really are not increasing your security. A simply traceroute will reveal who your ISP is or a simple lookup on the IP block...
Michael
Whatever host name you use for the reverse DNS must forward resolve back to the same IP address, otherwise you'll have as many email problems as without rDNS, maybe more.
There shouldn't be a problem with the sender's domain not matching the rDNS domain. Nor should there be a problem with HELO/EHLO host name not matching the rDNS (but the HELO/EHLO host name must resolve back to the same IP address).
Hi Michael. Thanks for your comments. This concerns what I think will get out of not having RDNS.
I should have crossposted this query I guess. I wound up asking in a few different forums. Anyway, I will paste below one of my replies to another group. I would welcome your comments on my logic.
Thanks,
-Frank
---------start----------
I think you hit the proverbial nail on the head. SPAM filtering techniques have greatly improved in the last few years. As you say, RDNS used to be one of the only possible criteria but now is but a small fraction of the total SPAM identification techniques, which now use almost exclusively mathematically weighted algorithms.
I've read that the practice of refusing mail based on not having RDNS has almost disappeared. My own mail server has that capability also, but I don't enable that feature. As I suspect not many others do either. My own mail server has a mathematically weighted and configurable SPAM system too. Works well.
Anyway, I removed my reverse DNS listing about two weeks ago and have had no problem with email. I run a server with 4 domains pointing to the same IP. All have web presence and mail. I think I'll leave it that way until I have problems.
Funny, it's not really mail that causes me to want to remove it. It is web surfing. I run a Firewall with NAT so that all surfing from any of my internal machines appears to be coming from that firewall. I'd prefer not to have surfing activities identified by RDNS. I am convinced that a lot of SPAM I do receive comes from unscrupulous folks garnering my RDNS info.
Example: I can look in my mail logs and see repeated attempts to send mail to non existent userID's. (i.e. snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, snipped-for-privacy@domainname.com, etc., etc., etc.)
Now each of these always uses the domain name I had configured in reverse lookup. Remember, I have 4 domains pointed to this IP. Only the one configured as reverse lookup was the target of this type of SPAM.
Bottom line, I like it better without RDNS. Only time will tell if it truly causes any trouble.
Thank you for your post. I would be interested if you have any more thoughts on this matter.
-Frank
---------------end------------------
Try emailing AOL. I believe they also check for rDNS...
Michael
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.