FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-24-2010, 03:11 PM
"Daniel B. Thurman"
 
Default DNS PTR Question

I am trying to get a handle on how to properly
assign DNS PTR records, given these conditions:

1) Single machine containing:
a) DNS Server
b) Sendmail Server


Forward zone contains:
======================
$TTL 172800
@ IN SOA ns1.domain.com. admin.domain.com. (
3818 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; ==========[Nameservers]=================
@ IN NS ns1.domain.com.
; ==========[Mail Exchangers]=============
@ IN MX 10 mx1.domain.com.
; ==========[Machines]====================
ns1 IN A 10.1.0.1
mx1 IN A 10.1.0.1
[...]


Reverse zone contains:
======================
$TTL 172800
@ IN SOA ns1.domain.com admin.domain.com (
3818 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;============ Top-Level =================
@ IN NS ns1.domain.com.
;============ PTRS ======================
1 IN PTR ns1.domain.com.
1 IN PTR mx1.domain.com.
[...]


The problem here is assigning the PTR, since
only ONE reverse IP address is allowed. In
the above case, which will it be, ns1.domain.com
or mx1.domain.com? Discovery led to the last
"scanned" entry, which is mx1.domain.com

Why is this a potential problem?
+ One that I can think of, is security verification
such as some programs do a reverse IP check to reduce
phishing/spamming?

How is this to be properly handled?
+ Separate out DNS and Sendmail services to it's
own machine as hinted in "example.org"?

Is it possible/sensible to have DNS and Sendmail on
the same machine?

Thanks!
Dan

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 03:47 PM
Terry Polzin
 
Default DNS PTR Question

On Wednesday 24 February 2010 11:11, Daniel B. Thurman wrote:

I'd either cname one address or the other.

> I am trying to get a handle on how to properly
> assign DNS PTR records, given these conditions:
>
> 1) Single machine containing:
> a) DNS Server
> b) Sendmail Server
>
>
> Forward zone contains:
> ======================
> $TTL 172800
> @ IN SOA ns1.domain.com. admin.domain.com. (
> 3818 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
> ; ==========[Nameservers]=================
> @ IN NS ns1.domain.com.
> ; ==========[Mail Exchangers]=============
> @ IN MX 10 mx1.domain.com.
> ; ==========[Machines]====================
> ns1 IN A 10.1.0.1
> mx1 IN A 10.1.0.1
> [...]
>
>
> Reverse zone contains:
> ======================
> $TTL 172800
> @ IN SOA ns1.domain.com admin.domain.com (
> 3818 ; serial
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
> ;============ Top-Level =================
> @ IN NS ns1.domain.com.
> ;============ PTRS ======================
> 1 IN PTR ns1.domain.com.
> 1 IN PTR mx1.domain.com.
> [...]
>
>
> The problem here is assigning the PTR, since
> only ONE reverse IP address is allowed. In
> the above case, which will it be, ns1.domain.com
> or mx1.domain.com? Discovery led to the last
> "scanned" entry, which is mx1.domain.com
>
> Why is this a potential problem?
> + One that I can think of, is security verification
> such as some programs do a reverse IP check to reduce
> phishing/spamming?
>
> How is this to be properly handled?
> + Separate out DNS and Sendmail services to it's
> own machine as hinted in "example.org"?
>
> Is it possible/sensible to have DNS and Sendmail on
> the same machine?
>
> Thanks!
> Dan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 03:55 PM
Bruno Wolff III
 
Default DNS PTR Question

On Wed, Feb 24, 2010 at 08:11:28 -0800,
"Daniel B. Thurman" <dant@cdkkt.com> wrote:
>
> The problem here is assigning the PTR, since
> only ONE reverse IP address is allowed. In
> the above case, which will it be, ns1.domain.com
> or mx1.domain.com? Discovery led to the last
> "scanned" entry, which is mx1.domain.com

Multiple ones are allowed, just expect a lot of applications not to handle
this correctly.

> Why is this a potential problem?
> + One that I can think of, is security verification
> such as some programs do a reverse IP check to reduce
> phishing/spamming?

Programs really shouldn't be making security decisions based on PTR records.
My experience with the PTR checks for email is that existence of a PTR
record is significantly more important than that it match the A record.

> How is this to be properly handled?
> + Separate out DNS and Sendmail services to it's
> own machine as hinted in "example.org"?
>
> Is it possible/sensible to have DNS and Sendmail on
> the same machine?

Yes.

If you have spare IP addresses you could have them listen on different IP
addresses, even though they are on the same machine.

You could also just have one A record, and use an MX record for the name
you want to advertise for the mail server (assuming you are just talking
smtp, not IMAP or POP).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 04:26 PM
Tony Nelson
 
Default DNS PTR Question

On 10-02-24 11:11:28, Daniel B. Thurman wrote:
...
> Why is this a potential problem?
> + One that I can think of, is security verification
> such as some programs do a reverse IP check to reduce
> phishing/spamming?
...

FCrDNS only needs the reverse lookup to produce a name that maps to the
IP[1]. Some sites will do this wrong, and you can't deal with all the
ways they can do it wrong. Just try to work with the places that do it
right. For my domain I have A records for georgeanelson.com and
rapidxen.georgeanelson.com (for the day when I move servers and also
have a new.georgeanelson.com), MX 0 georgeanelson.com., and rDNS
rapidxen.georgeanelson.com.

[1] <http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS>

--
__________________________________________________ __________________
TonyN.:' <mailto:tonynelson@georgeanelson.com>
' <http://www.georgeanelson.com/>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 08:19 PM
James Wilkinson
 
Default DNS PTR Question

Daniel B. Thurman wrote:
> I am trying to get a handle on how to properly
> assign DNS PTR records, given these conditions:
>
> 1) Single machine containing:
> a) DNS Server
> b) Sendmail Server
<snip>
> The problem here is assigning the PTR, since
> only ONE reverse IP address is allowed. In
> the above case, which will it be, ns1.domain.com
> or mx1.domain.com? Discovery led to the last
> "scanned" entry, which is mx1.domain.com
>
> Why is this a potential problem?
> + One that I can think of, is security verification
> such as some programs do a reverse IP check to reduce
> phishing/spamming?

Alternate idea: have both mx1 and ns1 as CNAMEs to the “real” host name,
and put that “real” host name in the reverse DNS.

Don’t forget that you have to have your MX records pointing to that A
record: MX pointing to CNAMEs is Not Allowed.

Hope this helps,

James.

--
E-mail: james@ | A: Because people don’t normally read bottom to top.
aprilcottage.co.uk | Q: Why is top-posting such a bad thing?
| A: Top-posting.
| Q: What is the most annoying thing in e-mail and usenet?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 08:59 PM
"Daniel B. Thurman"
 
Default DNS PTR Question

On 02/24/2010 01:19 PM, James Wilkinson wrote:
> Daniel B. Thurman wrote:
>> I am trying to get a handle on how to properly
>> assign DNS PTR records, given these conditions:
>>
>> 1) Single machine containing:
>> a) DNS Server
>> b) Sendmail Server
> <snip>
>> The problem here is assigning the PTR, since
>> only ONE reverse IP address is allowed. In
>> the above case, which will it be, ns1.domain.com
>> or mx1.domain.com? Discovery led to the last
>> "scanned" entry, which is mx1.domain.com
>>
>> Why is this a potential problem?
>> + One that I can think of, is security verification
>> such as some programs do a reverse IP check to reduce
>> phishing/spamming?
>
> Alternate idea: have both mx1 and ns1 as CNAMEs to the “real” host name,
> and put that “real” host name in the reverse DNS.
>
> Don’t forget that you have to have your MX records pointing to that A
> record: MX pointing to CNAMEs is Not Allowed.
>
> Hope this helps,
>
> James.
>

So, basically you are saying this?

Forward zone contains:
======================
$TTL 172800
@ IN SOA host1.domain.com. admin.domain.com. (
3818 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; ==========[Nameservers]=================
@ IN NS host1.domain.com.
; ==========[Mail Exchangers]=============
@ IN MX 10 host1.domain.com.
; ==========[Machines]====================
ns1 IN CNAME host1.domain.com.
mx1 IN CNAME host1.domain.com.
host1 IN A 10.1.0.1
[...]


Reverse zone contains:
======================
$TTL 172800
@ IN SOA ns1.domain.com admin.domain.com (
3818 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;============[Top-Level]==================
@ IN NS host1.domain.com.
;============[PTRS]=======================
1 IN PTR host1.domain.com.
[...]


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-24-2010, 10:22 PM
Tim
 
Default DNS PTR Question

On Wed, 2010-02-24 at 08:11 -0800, Daniel B. Thurman wrote:
> I am trying to get a handle on how to properly
> assign DNS PTR records, given these conditions:
>
> 1) Single machine containing:
> a) DNS Server
> b) Sendmail Server
>
> ...
>
> The problem here is assigning the PTR, since
> only ONE reverse IP address is allowed.

The usual technique is to assign an A record to the hostname you're
giving the device (the name that identifies the machine amongst your
collection of equipment, or someone else's collection), with a
correlating PTR record. Then, you add additional A, MX, and CNAMES for
the pretty hostnames you want people to know you by.

e.g. hostname of "serverone"
additional pretty names of mail, mx, www, ftp, and so on, and so forth.

(Have a look at how a few ISPs or hosting services do this.)

If you're going to play with HTTPS and certificates, then you may want
to avoid using multiple pretty names, and just one consistent hostname
with everything.

e.g. hostname of "fred"
PTR for IP back to fred
MX pointing to fred

That'll make it easier to use the same certificate for everything. Yes,
you can have certificates that apply to more than just one specific
hostname, but people often get that wrong.

With multiple PTRs, you can expect random behaviour from different
things. What you test, now, mayn't apply to something else querying the
PTR. And you might be bashing your head against a brick wall if you
have to deal with something that insists you can only have one PTR per
IP.

> some programs do a reverse IP check to reduce phishing/spamming?

The clever ones will find *your* IP, do the PTR check, then check if
that PTR IP resolves back to one of your domain names (one the same as
in the first query).

e.g. Mail from example.com
A record check says 192.168.1.2
PTR check says that IP points to www.example.com
A record check says 192.168.1.2
Conclusion is that the various hostnames are the same site.

And manage to handle the situation where names don't directly match,
such as when you have external hosting, but the PTR/Reverse IP checks
point to the host's domain names rather than your own. (A bit more than
just one forward and back checking would be needed to check that you're
legitimately using a service with mismatching names.)

e.g. Mail from example.com
A record check says 192.168.1.2
PTR check says example.net (woo, different domain, might be fishy)
A record check says 192.168.1.2 (same IP, probably okay)
Conclusion is that the various domainnames are the same site.

Dumb checks will fall apart when they find different domain names while
doing forward and backward checks, then do nothing more, prematurely
assuming that it's *bad*. You'll lose mail when things do dumb checks,
there's nothing you can do about that (if you can't make the forward and
backwards name resolution checks agree).

NB: Those pseudo check routines are just an illustration of *a*
technique you might go through, not necessarily what will be done.

> How is this to be properly handled?
> + Separate out DNS and Sendmail services to it's
> own machine as hinted in "example.org"?

Some say that's a good idea, because failure of one doesn't mean failure
of everything (multiple DNS servers, and backup mail servers on your
extra MX records), likewise for an exploit in one service being used to
attack the other. Others say you may as well use one machine, as a
breakdown in either DNS or mail puts you out of action, anyway.

> Is it possible/sensible to have DNS and Sendmail on
> the same machine?

Yes, I do that here.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 12:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org