Feed on
Posts
Comments

Reverse DNS

Despite the fact that it’s really not all that difficult, no one understands DNS. As such, it’s probably a good thing that you don’t need to understand DNS to properly configure reverse DNS for your server.
So you’ve got a server up on an IP (1.2.3.4, for example) and now you need to set reverse DNS for that IP. Does reverse DNS for an IP have to match the hostname that resolves to that IP? No. That’s dumb. If that was the case, virtual hosting would be impossible.

Virtual hosting: Multiple web sites on the same IP address. A vast majority of web sites on the internet are hosted virtually on a shared IP.

So what should you use for your Reverse DNS? You should use the hostname advertised in your mail server’s 220 HELO banner. Why? Because it’s necessary to help your server pass spam checks.

Once you’ve configured your hostname and reverse DNS, test it. Verify your mail server’s hostname like so:

[email protected][~]# telnet localhost 25
Trying 127.0.0.1
...
Connected to localhost (
127.0.0.1).
Escape character is '^]'.
220-server.rootmypc.net

And now perform a reverse DNS lookup on your server’s IP:

[email protected][~]# host 1.2.3.4
4.3.2.1.in-addr.arpa domain name pointer server.rootmypc.net.
[email protected][~]#

Why is it important that these match? A server sending spam may report its hostname as “server.rootmypc.net” so that the recipient of the spam sees “server.rootmypc.net” in the message headers and blames the wrong person for sending that spam. You can’t fake the IP of a sending mail server, and as such you can’t really fake reverse DNS either. By ensuring reverse DNS matches a mail server’s hostname before accepting mail from that server, you prevent masquerading hostnames.

Leave a Reply