reverse dns best practices

We have an issue at one of our sites (site1) where the sites public IP address has been listed on several blacklists - the reason stated is that it does not have a reverse dns record setup.

However, we are not actually running exchange at this site - we are running exchange at another site (site2) and site1 connects to the exchange server at site2 via pop.

I would have thought that emails would be routed (via pop/smtp) through the exchange server at site2 and on delivery would be marked with site2's public IP (Which DOES have RDNS configured correctly).

But according to mxtoolbox.com and the details of each spam server that has listed site1's IP address, we also need a RDNS record for the IP at site1.

Is this correct, and what RDNS do we need (baring in mind there is no Email server at site1)?

davids355Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hilal1924Commented:
Thumb rule is that you should create PTR record for all your mail servers which helps in resolving the Reverse DNS queries. And it doesn't cost anything. The fact is that the entire routing channel needs to be configured with RDNS in order for the CNAME, MX and A records to be trusted.
0
Hilal1924Commented:
btw your outgoing IP/Public IP has to be published on an external DNS with Proper RDNS Set up.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shauncroucherCommented:
The server that makes the final connection to the receiving server is the only one that requires a rNDS entry. The rDNS entry should be forward confirmed and match the hostname

See my article on DNS data (although it refers to 2007, the same is true for 2003).

http://exchangeshell.wordpress.com/2010/03/12/exchange-send-connector-ehlo-and-dns-data-rdns-ptr-mx-spf-txt-a-record/

If site2 is the only server that sends mail, this is the only one that needs a rDNS entry.

Check the IP being used by looking at the headers of an outbound mail and see what IP is connecting to the receiving server.

Shaun
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

davids355Author Commented:
This is the returned message:
*************************************************************************************************
Reporting-MTA: dns; server.site2.local

Final-Recipient: RFC822; firstname.surname@external-domain.co.uk
Action: failed
Status: 5.5.0
X-Supplementary-Info: <mail.site2.co.uk #5.5.0 smtp;554 Service unavailable; Client host [mail.site2.co.uk] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=11.111.11.11>
X-Display-Name: firstname.surname@external-domain.co.uk
*************************************************************************************************
it mentions our exchange server (mail.site2.co.uk) which has a reverse dns of the same name - so if you nslookup the exchange servers ip you get mail.site2.co.uk - and this server DOES NOT appear on ANY blacklists (According to mxtoolbox.com).
However, in the barracuda reputation link in the above headers, they are showing ip 11.111.11.11 - which is the public IP of the site that sent the email via a pop email client.


So Im not sure what Im doing wrong...?? Baring in mind site1 where the email was sent from, doesnt have an exchange server and in fact doesnt have any public services hosted on its server.

0
shauncroucherCommented:
Is the IP blacklisted? No mention of rDNS in that NDR?

Shaun
0
shauncroucherCommented:
You already said it is. It might not be blacklisted because of rNDS, it could be because of some other reason. Check using the link I provide that rDNS is all configured fine for your IP address.

Shaun
0
davids355Author Commented:
Yes the IP was listed on 5 spam servers: barracuda,cbl,ivmSIP,RATS-DYna and UCEPROTECTL1.

I havemanaged to remove it from 4 servers - they did not give specific reasons for listing. But RATS-Dyna will not let me remove the IP, as it says the following:

Does IP Address comply with reverse hostname naming convention... Failed!

When I try and delist, I get this message:

The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovider.co.uk. For more information, please review the above "List Specifications" section, or this best practice documentation.
0
Hilal1924Commented:
From the NDR it does not appear that due to lack of Reverse DNS entry the message was rejected. Rather it says "blocked using Barracuda Reputation". So looks like your IP is blacklisted due to their reputation filters.
"The IP address you have specified does not comply with best practices. Currently, the reverse DNS for this IP address is: 11-111-11-11.sub.ourprovider.co.uk. For more information, please review the above "List Specifications" section, or this best practice documentation" -- For this, here is what you need to do. If you have access to the DNS control panel on your ISP modify the PTR record for the Public IP Address and map it to your "mail.site2.co.uk". All Should be Great after that.
0
shauncroucherCommented:
You should really have a PTR that relates to your domain, rather than the ISP provided rDNS.

The reverse DNS (rDNS \ PTR) record is configured by the people who issued your IP address in most instances (so your ISP).
 
Below are two articles which explain the general requirements for reverse dns (rDNS\PTR) records for your IP address.
 
I try to adhere to the following when setting up a rDNS (PTR) record:
 
Be a Fully Qualified Domain Name (FQDN) such as server.domain.com (not just 'domain.com' or 'server').
Should not contain 'in-addr-arpa' and should not include words like pool or dyn etc.
Should match what you use in your SMTP HELO\EHLO hostname if possible.
 
For neatness and as a good rule of thumb, if your incoming mail is delivered to the same server that you use for Outgoing you should make sure all the following FQDN's match:
 
MX record
rDNS (PTR) record
SMTP EHLO hostname
 
http://www.simpledns.com/kb.aspx?kbid=1052
 
http://postmaster.aol.com/info/rdns.html 
 
http://www.amset.info/exchange/dnsconfig.asp (Courtesy of EE member Mestha)

Shaun
0
davids355Author Commented:
Yes your right about the barracuda, I just got an email back from them after requesting delisting, and it said that our ip had been listed as sending bad mail - so thats that issue sorted. However, RATS-DYna definately is reporting bad RDNS.

To make sure we're not getting confused, mail.site2.co.uk is the FQDN for company 2 (and is where the exchange server is hosted). The ip address thats having problems, is at site1 - which is actually a seperate company - but the staff also do work for site2. so should site1's IP not be subdomain.site1.co.uk -> and if so, in my experience, in order to setup a RDNS record, the FQDN needs to resolve to the IP address as well, which means we need to create a live domain that resolves to the IP - however, since we have no services running at site1, the domain would not resolve to anything does this matter? And aside from this, because there are actually no externally available services running at site1, should we really need a reverse DNS record or a publiclly available domain name??
0
Hilal1924Commented:
Having an rDNS on your external DNS server is absolute necessity. This is the one that will be visible to external world, so it has to be configured properly.
0
shauncroucherCommented:
As I originally said, the only IP that must have a rDNS that relates to a domain name (any domain name you like, this doesn't matter) is the IP address used for sending mail to external recipients.

There should be a corresponding 'A' record configured in the domain zone for this rDNS entry as well so that it is forward confirmed yes. Also the EHLO on exchange should match too.

Shaun
0
davids355Author Commented:
Hilal1924 - its not an external DNS server, its an internal only server.

shauncroucher: thats what I thought. I dont know why RATS-DYna is reporting the bad RDNS then - unless its just a generic thing that it checks and its of no consiquence because the IP it concerns is NOT hosting an email server.
0
Hilal1924Commented:
Ah i see, Have you configure SPF records for your server ? That will save you a lot of grief, trust me.
0
shauncroucherCommented:
You will need to make sure the rDNS is configured on your external domain name (with your external DNS providers, this is not something you can usually configure on your internal servers unless you run the DNS for your external domain name?

Shaun
0
Hilal1924Commented:
It will most probably be the same place where you registered your MX record ...
0
shauncroucherCommented:
It will be your ISP (the people who gave you your IP address address). In most cases this is different to the DNS providers for your domain name.

Shaun
0
davids355Author Commented:
Thanks for the help guys.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.