Questions tagged [fcrdns]

Forward Confirmed reverse DNS is a practice employed by several protocols and applications to tie domain ownership to network ownership. This is considered more reliable than using the WHOIS databases provided by IP assigning organizations (ARIN, RIPE, etc.) which cannot be considered accurate beyond the immediate network carrier.

Example of DNS records that might be defined in a valid FCrDNS scenario:

$ORIGIN example.com.
mail                                     IN A        203.0.113.1
mail                                     IN AAAA     2001:db8::1

$ORIGIN 113.0.203.in-addr.arpa.
1                                        IN PTR      mail.example.com.

$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0          IN PTR      mail.example.com.

mail.example.com identifies itself as being associated with IPv4 address 203.0.113.1 and IPv6 address 2001:db8::1. If a remote mail server were to look up the reverse DNS entry for either of those IP addresses, it would find a PTR record associating the address to mail.example.com.

This provides a remote server with a reasonable amount of faith that both the domain and network are controlled by the same parties, but there is no way of knowing whether a malicious configuration has been inserted into any of the involved mail servers or name servers.