Solved

Reverse DNS lookup and Authoritative vs non-Authoritative responses

Posted on 2013-05-22
4
2,056 Views
Last Modified: 2013-05-28
We have a frequent business partner that uses Cisco IronPort for email scanning/filtering. We use Zscaler for incoming and outgoing email delivery.
The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup.
Zscaler says "There is nothing wrong with non-authoritative answers. You get authoritative answers if the responding DNS is responsible for that zone".

I use mstoolbox.com and never get an Authoritative response when I am checking Zscaler's servers.

I am looking for any information you can provide me with the differences with  Authoritative vs non-Authoritative responses to DNS reverse lookup.

IsZscaler's response (in quotes above) correct?

Is it appropriate or common for an incoming email to receive a higher SPAM (SBRS) score because its sending server does not provide an Authoritative reverse DNS response?
0
Comment
Question by:swfwmd2
  • 2
4 Comments
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39188800
An authoritative lookup is a response from the DNS server hosting the zone. That's correct. A non-authoritative response is from a different DNS server, that may be completely correct, but isn't responsible for that reverse lookup zone.

What I think they're looking for is for your domain to "own" your public IP address. Do you? Do you have a static IP address? If so, you should probably ask your provider to provide that reverse-lookup for you. If not, you should consider using a smart-host (like your ISP, or Public DNS host, or something) and then set up SPF to explicitly allow their host to send mail out from your domain. Something like that would probably help.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39192351
Authoritative:
A DNS server that holds and is authority of those HOST A records within DNS.

Authoritative:
computera.my.domain.com
computerb.my.domain.com
printera.my.domain.com
servera.my.domain.com

Non-Authoritative:
An outside server or another server that owns those same records (other than your server).
computera.their.domain.com
computerb.their.domain.com
printera.thier.domain.com
servera.their.domain.com.

This might help, to study the path of where a DNS query goes:
http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
0
 
LVL 11

Accepted Solution

by:
b_levitt earned 500 total points
ID: 39201467
A non-authoritative response is simply a cached response.  99% of all dns resolutions by clients would be non-authoritative since authoritative responses would be given to other dns servers that do not have a fresh resolution in their cache.  But I don't think they're talking about an authoritative response for your forward loop (ie, mail.yourdomain.com), I think they're talking about an authoritative response for the ptr record.

"The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup."

I'd guess they're complaining about one of three things:

One, does your mail server have a ptr record for its IP(s)?  It doesn't necessarily need to resolve back to a particular host name but it should at least exist.  This is a simple mechanism to make sure your email server is hosted by a commercial ISP and not in a basement with a home cable or dsl service.  A ptr record is a standard request of a business to its commercial ISP, where somebody with a home internet provider is not going to get a ptr record.

Two, your ISP is delegating responsibility for reverse lookup of your IP block back to your DNS server, and either you've not configured your dns server to answer or you're answering incorrectly.

Finally, they may be comparing your mail server's ehlo reply to your ptr record.  For example:
Your server, mail.abc.com, connects to there smtp service and says "ehlo mail.abc.com".  That server then does a ptr lookup of your server's IP to see if it matches mail.abc.com.  I believe it is against RFCs to reject email based on this alone, but there's nothing in RFCs about the various scoring systems that a spam solution might use.
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 39201858
One solution might be to have your mail server use a Smart Host - in other words, have it bounce your outbound mail off your ISP's mail server. They'll typically allow you to do that, and that often fixes problems where the receiving mail server is trying to authenticate the sending host.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question