I'm currently hosting two sites on my Linode, each with it's own domain. The problem is that as far as I can tell, only one reverse DNS can be used, which means one domain can be entered as the reverse DNS. That leaves the other site open to look like a spam site, and can open both sites to complaint. Is there a way to tell the reverse DNS that my Linode's IP belong to two domains?

_________________
Kris the Piki Geeker

While more than one PTR record is possible and allowed by RFC, it's ambiguous and Linode (and many others, I suppose) only let you have one. Consider using a third, neutral domain for that (and as the base for your system hostname), or stick with the default .members.linode.com.

Another domain wouldn't work. The second site "officially" isn't mine, I'm just a volunteer who offered up my Linode to get away from the old donated one (our leader can't afford a "real" host), and the default would still make it look like potential spam.

I'm currently using the second site as the reverse DNS since my site isn't quite ready, would just be nice if I could do it without attaching an extra IP to my Linode and reconfiguring everything.

_________________
Kris the Piki Geeker

Think about what you're asking for a little more. How exactly are you expecting the DNS servers to know which domain the requester "wants" to see when querying the IP?

Anyone who things that this configuration would be "spam" is badly misunderstanding the nature of DNS.

It's normal for mail to come from a host that doesn't have the originating name in the rDNS. As long as the rDNS has a valid forward record that matches (eg IP 1.2.3.4 -> foo.example.com, and foo.example.com -> 1.2.3.4) then it's good.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

I never said I expected that. It would be impossible. A psychic computer is just as implausible (if not more) as the cat bumping my arm and my shirt spontaneously combusting. There's nothing to think about here with what I'm asking: someone queries the IP, it shows both domains. The requester decides for himself which he wants to look at out of the two entries shown.

_________________
Kris the Piki Geeker

It's not spam, but it looks like spam, which is what I'm after here. People might think that someone is using one domain as a relay for mail coming from the other, and there are actually mail servers that are setup to check that as a part of their spam filters.

_________________
Kris the Piki Geeker

No, it doesn't look like spam. It's normal. Anyone who thinks that mail from example.com must come from a mail server with "example.com" in the rDNS is wrong, and their "anti-spam" will block many many legitimate messages.

No one with half a clue would implement such a test in their mail server.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

@sweh is right. There is absolutely no need for your reverse DNS to match the domain(s) you're hosting.

Ever used Google Apps? Google sends all of those e-mails from IP addresses whose reverse DNS point to something.google.com, not your own hosted domain. But nobody thinks they're spamming. The only thing that anybody ever checks is whether or not the reverse DNS matches the forward DNS.

Why? Because this simple check (along with other DNS-based checks such as SPF and DKIM) eliminates 99% of spam originating from virus-infected home PCs. If any spam gets through nowadays, it was probably sent from a compromised account at one of the free e-mail service providers (e.g. "I got stranded in Europe" frauds), or from a machine that actually has its DNS entries set up properly.

That seems a bit contradictory to me. I don't need to have the reverse and forward DNS entries match, but people check this for spam? Then why wouldn't I need to have them matching?

If I do use Google Apps, the reverse DNS won't match my forward DNS, and it will look like I'm using Google to relay all my spam so that they aren't tracked back to me. Google, however, will be able to detect this and I will get in trouble anyway (provided I'm not using Google Apps).

Of course, if I see email being sent from the other domain on my Linode, I'll know it's legit. The problem is that if the reverse DNS matches my domain and not theirs and we send out an email to someone who's smart enough to check but not smart enough to check to see they're both on the same machine, they will get suspicious -- "The email was sent from arklinux.org but I traced it back to pikiisconfused.com! What gives?!" The same goes for if my reverse DNS points to the other domain and I send an email from mine.

_________________
Kris the Piki Geeker

You seem to misunderstand what "forward" and "reverse" DNS means.

Forward DNS is a mapping from "name" to IP address.
Reverse DNS is a mapping from IP address to name.

When your SMTP server connects to a remote machine, the remote machine only knows your IP address. Let's say it's 1.2.3.4. So then it does a reverse lookup and gets a name; "foo.example.com". Now that name could be spoofed, so a good program will then do a forward lookup for that name; it will look up "foo.example.com". If the result is the original IP address (1.2.3.4) then the remote machine can be confident that the name is correct. If the result doesn't match then there's a problem; this might be a spoofing attempt, so refuse the mail.

Note that none of this refers to the actual content of the email; it's just doing sanity checking on the IP<->DNS lookups.

NOTE: this is also different to "MX" records; nothing says that your incoming mail gateway has to be the same as your outgoing mail gateway.

No program should care that mail from arklinux is sent from a pikiisconfused domain name. UNLESS you have an SPF record that says otherwise. By default no one has that SPF record, and by default no one should care. Anyone who does care is just wrong.

Talking of SPF, you could create an SPF record that explicity says that mail for arklinux is sent from pikiisconfused, and any client could use this to be even more confident the mail isn't forged.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Already understood.



Both my domain and the other domain point to the same IP, but the IP only points to one domain. So the other domain fails the sanity check, correct? Then it gets rejected.



Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that.



That starts into a new topic I have yet to explore. I'm still confused about the initial issue, though.

_________________
Kris the Piki Geeker

No. Because the client only sees the IP address, gets the pikiisconfused name and only looks that up. It never cares about the forward DNS entry for the other domain.

"IP -> rDNS -> pikiisconfused -> IP" is the process.



No. Not even no, but "hell no". That's not even touching reality.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

After rereading, I think I'm understanding now. Took me a moment. I gotta not be reading and talking at the same time, especially not tired

I was getting confused at:


For some reason, my mind was switching "domain" and "IP" at the start of the paragraph.

_________________
Kris the Piki Geeker

I was reading your post wrong.



I remember reading that in a couple places (I think I saw that on this forum somewhere, will have to dig out the post).

_________________
Kris the Piki Geeker