1

I noticed, that i had the rDNS for some server wrong. It did not cause any problems, but i am wondering, what can happen with wrong rDNS except from obviously getting spam point or even mail rejected, if it happens on a mail server.

So, what can happen for these errors:

  • rDNS missing
  • forward DNS missing (NXDOMAIN) for rDNS domainname
  • forward DNS does not point to the IP with the rDNS record
  • somebody else points his rDNS at my domain
  • my rDNS points at somebody else domain
Andrew B
  • 31,858
  • 12
  • 90
  • 128
allo
  • 1,524
  • 1
  • 19
  • 35
  • It's probably not wrong. It's just that many ISP's, even when handing out static IP's, have their own reverse DNS entries set that don't match the forward DNS. That's not a problem. – hookenz Mar 11 '15 at 18:38
  • This is a little on the broad side because it all depends on the application/protocol with answers ranging from "nothing" to *"everything"*. I did a Q&A awhile back that covers the essentials though: [Do internet standards require reverse DNS for every device?](http://serverfault.com/q/612833/152073) – Andrew B Mar 12 '15 at 06:24

2 Answers2

2

Many spam filters check that the reverse DNS of a server that sends mail matches its forward DNS. In other words, if you use the DNS system to look up the IP address of your outgoing mail server you should get the host name, and if you look up that host name you should get the same IP address.

Apart from that, it's not really important. So if your server doesn't originate mail it probably won't matter if the rDNS is not set. And it doesn't really matter if somebody else points his rDNS at your domain (your fourth bullet point). But for your other bullet points you might find that outgoing mail gets blocked by some recipients.

2

If you're using TCP wrappers (tcpd) to control access to network resources and using host/domain names in the access lists then (by default) you need to have matching forward and reverse lookups. This is because the library does a forward lookup on the hostname returned by the reverse lookup - if the original IP isn't in the list that comes back then the connection is dropped.

Paul Haldane
  • 4,457
  • 1
  • 20
  • 31
  • 1
    That said, using DNS in this fashion is insecure where it isn't unreliable. If you find this in production, it warrants the hairy eyeball. If someone at your office is proposing it, it warrants the thousand yard stare. – Andrew B Mar 12 '15 at 06:30