Solved

Reverse DNS lookup and Authoritative vs non-Authoritative responses

Posted on 2013-05-22
4
1,863 Views
Last Modified: 2013-05-28
We have a frequent business partner that uses Cisco IronPort for email scanning/filtering. We use Zscaler for incoming and outgoing email delivery.
The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup.
Zscaler says "There is nothing wrong with non-authoritative answers. You get authoritative answers if the responding DNS is responsible for that zone".

I use mstoolbox.com and never get an Authoritative response when I am checking Zscaler's servers.

I am looking for any information you can provide me with the differences with  Authoritative vs non-Authoritative responses to DNS reverse lookup.

IsZscaler's response (in quotes above) correct?

Is it appropriate or common for an incoming email to receive a higher SPAM (SBRS) score because its sending server does not provide an Authoritative reverse DNS response?
0
Comment
Question by:swfwmd2
  • 2
4 Comments
 
LVL 8

Expert Comment

by:d0ughb0y
Comment Utility
An authoritative lookup is a response from the DNS server hosting the zone. That's correct. A non-authoritative response is from a different DNS server, that may be completely correct, but isn't responsible for that reverse lookup zone.

What I think they're looking for is for your domain to "own" your public IP address. Do you? Do you have a static IP address? If so, you should probably ask your provider to provide that reverse-lookup for you. If not, you should consider using a smart-host (like your ISP, or Public DNS host, or something) and then set up SPF to explicitly allow their host to send mail out from your domain. Something like that would probably help.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Authoritative:
A DNS server that holds and is authority of those HOST A records within DNS.

Authoritative:
computera.my.domain.com
computerb.my.domain.com
printera.my.domain.com
servera.my.domain.com

Non-Authoritative:
An outside server or another server that owns those same records (other than your server).
computera.their.domain.com
computerb.their.domain.com
printera.thier.domain.com
servera.their.domain.com.

This might help, to study the path of where a DNS query goes:
http://www.experts-exchange.com/Networking/Protocols/DNS/A_323-DNS-Troubleshooting-made-easy.html
0
 
LVL 11

Accepted Solution

by:
b_levitt earned 500 total points
Comment Utility
A non-authoritative response is simply a cached response.  99% of all dns resolutions by clients would be non-authoritative since authoritative responses would be given to other dns servers that do not have a fresh resolution in their cache.  But I don't think they're talking about an authoritative response for your forward loop (ie, mail.yourdomain.com), I think they're talking about an authoritative response for the ptr record.

"The Cisco IronPort product gives a high SBRS score if the sending server does not provide an Authoritative response to Reverse DNS lookup."

I'd guess they're complaining about one of three things:

One, does your mail server have a ptr record for its IP(s)?  It doesn't necessarily need to resolve back to a particular host name but it should at least exist.  This is a simple mechanism to make sure your email server is hosted by a commercial ISP and not in a basement with a home cable or dsl service.  A ptr record is a standard request of a business to its commercial ISP, where somebody with a home internet provider is not going to get a ptr record.

Two, your ISP is delegating responsibility for reverse lookup of your IP block back to your DNS server, and either you've not configured your dns server to answer or you're answering incorrectly.

Finally, they may be comparing your mail server's ehlo reply to your ptr record.  For example:
Your server, mail.abc.com, connects to there smtp service and says "ehlo mail.abc.com".  That server then does a ptr lookup of your server's IP to see if it matches mail.abc.com.  I believe it is against RFCs to reject email based on this alone, but there's nothing in RFCs about the various scoring systems that a spam solution might use.
0
 
LVL 8

Expert Comment

by:d0ughb0y
Comment Utility
One solution might be to have your mail server use a Smart Host - in other words, have it bounce your outbound mail off your ISP's mail server. They'll typically allow you to do that, and that often fixes problems where the receiving mail server is trying to authenticate the sending host.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now