Off topic Let’s talk reverse DNS entries: how bad are they when some parts of the Internet rely on them as industry “best practice?“

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

I

IBMuser

New member
Apr 27, 2024
4
0
So the GRC webpages when you go to the shields up area, give a bit of a spiel when your address has no reverse DNS. Having one could “possibly“ be a security concern and certainly it could disclose a geographic location, but certainly such locations really can’t distil down to anything other than perhaps a city or county. Certainly not a street address.

Years ago when I used my email relay from shaw.ca it wasn’t a big deal and when I would periodically visit the shieldsup pages having no reverse, DNS was pretty cool.

Till it wasn’t.

To help thwart spam from spoofed IP addresses SHAW farms out their spam protection to cloudfilter.net. To certify an incoming IP request address as trusted cloud filter does a reverse DNS look up for the proper well formed corresponding DNS PTR record corresponding to the address. No record, the connection request fails.

I was in a protracted fight about a year ago with my Internet provider that gives me rural Internet connectivity through their mobility network on a home based modem and they did relent and placed PTR records on the block of addresses where I get an address. Then they switched the block on me and there are no PTR records. So of course I cannot send email now. A year later they’re telling me they have no ability or authority to change any of this. And it’s driving me nuts.

Look up most any article asking about what a PTR record is and what it does and all sorts of essays talk about how this is almost essential for sending email and as one tool to help for spam from rogue addresses. How far up the food chain should one go when a telecom tech-support unit who should know about this is either unwilling or unable to do anything or even totally ignorant about the issue?

My working address block up until about April 8 this year was: 142.59.70.* so an address of 142.59.70.59 on a reverse DNS look up would deliver a PTR record of: nat-142-59-70-59.wireless.telus.com and that’s proper. Then my telecom provider without any notice given to me and certainly not my consent change the address block so now that the third octet is no longer 70, but 189. So a reverse DNS search of the same address, but 142.59.189.59 returns no PTR record and now I can no longer send email.

So while no reverse DNS may be considered “generally a good thing“ according to the shields up webpages, is it necessarily a “bad“ thing? Because more and more it looks like for email providers it is increasingly a “necessary“ thing.
 
I run a mail server for a customer. One of the first checks that we do when a remote server tries to connect to SMTP is a reverse DNS lookup. If there is no PTR record, or if it does not match the EHLO name, we reject the mail and terminate the connection. Some days we will get 30-35,000 of these connection attempts. PTR records do matter.
 
IBMuser said:
So the GRC webpages when you go to the shields up area, give a bit of a spiel when your address has no reverse DNS. Having one could “possibly“ be a security concern and certainly it could disclose a geographic location, but certainly such locations really can’t distil down to anything other than perhaps a city or county. Certainly not a street address.

Years ago when I used my email relay from shaw.ca it wasn’t a big deal and when I would periodically visit the shieldsup pages having no reverse, DNS was pretty cool.
Click to expand...
<SIGH> Shaw. Their network management practices are atrocious. It's worse now than it was ten years ago. Their use of PTR records was sketchy at best then but has improved. Back then their MX server didn't have a PTR nor an MX record. And, they block port 25 egress in order to limit SPAM. Even now, I have a daily cron job that tests my email to an external email address I have.

I hear TekSavvy is better. Even though I want to switch the other half doesn't because of her shaw.ca email address and no amount of suggesting I get her own domain will convince her. So here I am.

IBMuser said:
Till it wasn’t.

To help thwart spam from spoofed IP addresses SHAW farms out their spam protection to cloudfilter.net. To certify an incoming IP request address as trusted cloud filter does a reverse DNS look up for the proper well formed corresponding DNS PTR record corresponding to the address. No record, the connection request fails.
Click to expand...

I have my mail server in my basement using a shaw home account. The mismatch hasn't caused me any grief, so far. Though I am forced to use their MX as a relay. I use postfix to authenticate through their port 587.

Some people I know use an ssh tunnel through to the open source project's server I work with to tunnel SMTP through to their network. It works but is certainly a PITA.

IBMuser said:
I was in a protracted fight about a year ago with my Internet provider that gives me rural Internet connectivity through their mobility network on a home based modem and they did relent and placed PTR records on the block of addresses where I get an address. Then they switched the block on me and there are no PTR records. So of course I cannot send email now. A year later they’re telling me they have no ability or authority to change any of this. And it’s driving me nuts.
Click to expand...

Oh yeah, they're doing that. In two to three years here in BC all landlines will also use cell service. The telcos have deprecated wired connections in favour of wireless. I'm not enamoured with this. Expect your internet, TV, and phone service to become wireless over the next few years.

IBMuser said:
Look up most any article asking about what a PTR record is and what it does and all sorts of essays talk about how this is almost essential for sending email and as one tool to help for spam from rogue addresses. How far up the food chain should one go when a telecom tech-support unit who should know about this is either unwilling or unable to do anything or even totally ignorant about the issue?
Click to expand...

It is. But as a Shaw/Rogers customer you are not allowed to send email directly from your IP. You must route through their SMTP gateway. Contact me off list and I can share with you my postfix configuration.

IBMuser said:
My working address block up until about April 8 this year was: 142.59.70.* so an address of 142.59.70.59 on a reverse DNS look up would deliver a PTR record of: nat-142-59-70-59.wireless.telus.com and that’s proper. Then my telecom provider without any notice given to me and certainly not my consent change the address block so now that the third octet is no longer 70, but 189. So a reverse DNS search of the same address, but 142.59.189.59 returns no PTR record and now I can no longer send email.
Click to expand...

I'm not sure about Telus but Shaw's PTR records are the MAC address of your connected equipment. When your IP changes they will update your PTR to point to the new IP. Telus might do their own thing.

In my case, even though Shaw does maintain PTR records, they don't match my A records. It would be nice if they would but I don't own the network segment I'm on. My ISP does. I have no say what they put in their PTR records.

IBMuser said:
So while no reverse DNS may be considered “generally a good thing“ according to the shields up webpages, is it necessarily a “bad“ thing? Because more and more it looks like for email providers it is increasingly a “necessary“ thing.
Click to expand...
I don't see why sheilds up might say that a PTR is a bad thing.

BTW, A and AAAA records are used to specify forward lookup addresses. PTR records specify reverse lookups. MX (mail exchanger) records specify SMTP servers that accept or send email. There are many more record types most of us don't use or care about.
 
You must log in or register to reply here.

Similar threads

J
Picture of the week....
Replies
0
Views
195
None Of The Above
JimB
J
Duckpaddle
AI as a Judge
Replies
5
Views
642
None Of The Above
Duckpaddle
Duckpaddle
D
  • Contains 1 staff post(s)
GRC newsletter email system - I keep getting [not verified] on my emails and can't figure out how to verify
Replies
6
Views
814
None Of The Above
Steve
Steve
B
Secret Clocks talk by David Kaiser
Replies
0
Views
538
None Of The Above
Badrod
B
ShadowMeow
Hard Drive sales on EBAY?
Replies
5
Views
476
None Of The Above
Fuzzball
Fuzzball
Top Bottom
Back