davids355
asked on
reverse dns best practices
We have an issue at one of our sites (site1) where the sites public IP address has been listed on several blacklists - the reason stated is that it does not have a reverse dns record setup.
However, we are not actually running exchange at this site - we are running exchange at another site (site2) and site1 connects to the exchange server at site2 via pop.
I would have thought that emails would be routed (via pop/smtp) through the exchange server at site2 and on delivery would be marked with site2's public IP (Which DOES have RDNS configured correctly).
But according to mxtoolbox.com and the details of each spam server that has listed site1's IP address, we also need a RDNS record for the IP at site1.
Is this correct, and what RDNS do we need (baring in mind there is no Email server at site1)?
However, we are not actually running exchange at this site - we are running exchange at another site (site2) and site1 connects to the exchange server at site2 via pop.
I would have thought that emails would be routed (via pop/smtp) through the exchange server at site2 and on delivery would be marked with site2's public IP (Which DOES have RDNS configured correctly).
But according to mxtoolbox.com and the details of each spam server that has listed site1's IP address, we also need a RDNS record for the IP at site1.
Is this correct, and what RDNS do we need (baring in mind there is no Email server at site1)?
Hilal1924
Thumb rule is that you should create PTR record for all your mail servers which helps in resolving the Reverse DNS queries. And it doesn't cost anything. The fact is that the entire routing channel needs to be configured with RDNS in order for the CNAME, MX and A records to be trusted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the returned message:
**************************
Reporting-MTA: dns; server.site2.local
Final-Recipient: RFC822; firstname.surname@external
Action: failed
Status: 5.5.0
X-Supplementary-Info: <mail.site2.co.uk #5.5.0 smtp;554 Service unavailable; Client host [mail.site2.co.uk] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=11.111.11.11>
X-Display-Name: firstname.surname@external
**************************
it mentions our exchange server (mail.site2.co.uk) which has a reverse dns of the same name - so if you nslookup the exchange servers ip you get mail.site2.co.uk - and this server DOES NOT appear on ANY blacklists (According to mxtoolbox.com).
However, in the barracuda reputation link in the above headers, they are showing ip 11.111.11.11 - which is the public IP of the site that sent the email via a pop email client.
So Im not sure what Im doing wrong...?? Baring in mind site1 where the email was sent from, doesnt have an exchange server and in fact doesnt have any public services hosted on its server.
**************************
Reporting-MTA: dns; server.site2.local
Final-Recipient: RFC822; firstname.surname@external
Action: failed
Status: 5.5.0
X-Supplementary-Info: <mail.site2.co.uk #5.5.0 smtp;554 Service unavailable; Client host [mail.site2.co.uk] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=11.111.11.11>
X-Display-Name: firstname.surname@external
**************************
it mentions our exchange server (mail.site2.co.uk) which has a reverse dns of the same name - so if you nslookup the exchange servers ip you get mail.site2.co.uk - and this server DOES NOT appear on ANY blacklists (According to mxtoolbox.com).
However, in the barracuda reputation link in the above headers, they are showing ip 11.111.11.11 - which is the public IP of the site that sent the email via a pop email client.
So Im not sure what Im doing wrong...?? Baring in mind site1 where the email was sent from, doesnt have an exchange server and in fact doesnt have any public services hosted on its server.
Is the IP blacklisted? No mention of rDNS in that NDR?
Shaun
Shaun
You already said it is. It might not be blacklisted because of rNDS, it could be because of some other reason. Check using the link I provide that rDNS is all configured fine for your IP address.
Shaun
Shaun
ASKER
Yes the IP was listed on 5 spam servers: barracuda,cbl,ivmSIP,RATS-
I havemanaged to remove it from 4 servers - they did not give specific reasons for listing. But RATS-Dyna will not let me remove the IP, as it says the following:
Does IP Address comply with reverse hostname naming convention... Failed!
When I try and delist, I get this message:
The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovid
I havemanaged to remove it from 4 servers - they did not give specific reasons for listing. But RATS-Dyna will not let me remove the IP, as it says the following:
Does IP Address comply with reverse hostname naming convention... Failed!
When I try and delist, I get this message:
The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovid
From the NDR it does not appear that due to lack of Reverse DNS entry the message was rejected. Rather it says "blocked using Barracuda Reputation". So looks like your IP is blacklisted due to their reputation filters.
"The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovid
"The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovid
You should really have a PTR that relates to your domain, rather than the ISP provided rDNS.
The reverse DNS (rDNS \ PTR) record is configured by the people who issued your IP address in most instances (so your ISP).
Below are two articles which explain the general requirements for reverse dns (rDNS\PTR) records for your IP address.
I try to adhere to the following when setting up a rDNS (PTR) record:
Be a Fully Qualified Domain Name (FQDN) such as server.domain.com (not just 'domain.com' or 'server').
Should not contain 'in-addr-arpa' and should not include words like pool or dyn etc.
Should match what you use in your SMTP HELO\EHLO hostname if possible.
For neatness and as a good rule of thumb, if your incoming mail is delivered to the same server that you use for Outgoing you should make sure all the following FQDN's match:
MX record
rDNS (PTR) record
SMTP EHLO hostname
http://www.simpledns.com/kb.aspx?kbid=1052
http://postmaster.aol.com/info/rdns.html
http://www.amset.info/exchange/dnsconfig.asp (Courtesy of EE member Mestha)
Shaun
The reverse DNS (rDNS \ PTR) record is configured by the people who issued your IP address in most instances (so your ISP).
Below are two articles which explain the general requirements for reverse dns (rDNS\PTR) records for your IP address.
I try to adhere to the following when setting up a rDNS (PTR) record:
Be a Fully Qualified Domain Name (FQDN) such as server.domain.com (not just 'domain.com' or 'server').
Should not contain 'in-addr-arpa' and should not include words like pool or dyn etc.
Should match what you use in your SMTP HELO\EHLO hostname if possible.
For neatness and as a good rule of thumb, if your incoming mail is delivered to the same server that you use for Outgoing you should make sure all the following FQDN's match:
MX record
rDNS (PTR) record
SMTP EHLO hostname
http://www.simpledns.com/kb.aspx?kbid=1052
http://postmaster.aol.com/info/rdns.html
http://www.amset.info/exchange/dnsconfig.asp (Courtesy of EE member Mestha)
Shaun
ASKER
Yes your right about the barracuda, I just got an email back from them after requesting delisting, and it said that our ip had been listed as sending bad mail - so thats that issue sorted. However, RATS-DYna definately is reporting bad RDNS.
To make sure we're not getting confused, mail.site2.co.uk is the FQDN for company 2 (and is where the exchange server is hosted). The ip address thats having problems, is at site1 - which is actually a seperate company - but the staff also do work for site2. so should site1's IP not be subdomain.site1.co.uk -> and if so, in my experience, in order to setup a RDNS record, the FQDN needs to resolve to the IP address as well, which means we need to create a live domain that resolves to the IP - however, since we have no services running at site1, the domain would not resolve to anything does this matter? And aside from this, because there are actually no externally available services running at site1, should we really need a reverse DNS record or a publiclly available domain name??
To make sure we're not getting confused, mail.site2.co.uk is the FQDN for company 2 (and is where the exchange server is hosted). The ip address thats having problems, is at site1 - which is actually a seperate company - but the staff also do work for site2. so should site1's IP not be subdomain.site1.co.uk -> and if so, in my experience, in order to setup a RDNS record, the FQDN needs to resolve to the IP address as well, which means we need to create a live domain that resolves to the IP - however, since we have no services running at site1, the domain would not resolve to anything does this matter? And aside from this, because there are actually no externally available services running at site1, should we really need a reverse DNS record or a publiclly available domain name??
Having an rDNS on your external DNS server is absolute necessity. This is the one that will be visible to external world, so it has to be configured properly.
As I originally said, the only IP that must have a rDNS that relates to a domain name (any domain name you like, this doesn't matter) is the IP address used for sending mail to external recipients.
There should be a corresponding 'A' record configured in the domain zone for this rDNS entry as well so that it is forward confirmed yes. Also the EHLO on exchange should match too.
Shaun
There should be a corresponding 'A' record configured in the domain zone for this rDNS entry as well so that it is forward confirmed yes. Also the EHLO on exchange should match too.
Shaun
ASKER
Hilal1924 - its not an external DNS server, its an internal only server.
shauncroucher: thats what I thought. I dont know why RATS-DYna is reporting the bad RDNS then - unless its just a generic thing that it checks and its of no consiquence because the IP it concerns is NOT hosting an email server.
shauncroucher: thats what I thought. I dont know why RATS-DYna is reporting the bad RDNS then - unless its just a generic thing that it checks and its of no consiquence because the IP it concerns is NOT hosting an email server.
Ah i see, Have you configure SPF records for your server ? That will save you a lot of grief, trust me.
You will need to make sure the rDNS is configured on your external domain name (with your external DNS providers, this is not something you can usually configure on your internal servers unless you run the DNS for your external domain name?
Shaun
Shaun
It will most probably be the same place where you registered your MX record ...
It will be your ISP (the people who gave you your IP address address). In most cases this is different to the DNS providers for your domain name.
Shaun
Shaun
ASKER
Thanks for the help guys.