Linode Forum :: Two Reverse DNS entries?

I'm currently hosting two sites on my Linode, each with it's own domain. The problem is that as far as I can tell, only one reverse DNS can be used, which means one domain can be entered as the reverse DNS. That leaves the other site open to look like a spam site, and can open both sites to complaint. Is there a way to tell the reverse DNS that my Linode's IP belong to two domains?

Another domain wouldn't work. The second site "officially" isn't mine, I'm just a volunteer who offered up my Linode to get away from the old donated one (our leader can't afford a "real" host), and the default would still make it look like potential spam.

I'm currently using the second site as the reverse DNS since my site isn't quite ready, would just be nice if I could do it without attaching an extra IP to my Linode and reconfiguring everything.

Think about what you're asking for a little more. How exactly are you expecting the DNS servers to know which domain the requester "wants" to see when querying the IP?

Anyone who things that this configuration would be "spam" is badly misunderstanding the nature of DNS.

It's normal for mail to come from a host that doesn't have the originating name in the rDNS. As long as the rDNS has a valid forward record that matches (eg IP 1.2.3.4 -> foo.example.com, and foo.example.com -> 1.2.3.4) then it's good.

sweh wrote:

It's not spam, but it looks like spam, which is what I'm after here. People might think that someone is using one domain as a relay for mail coming from the other, and there are actually mail servers that are setup to check that as a part of their spam filters.

@sweh is right. There is absolutely no need for your reverse DNS to match the domain(s) you're hosting.

Ever used Google Apps? Google sends all of those e-mails from IP addresses whose reverse DNS point to something.google.com, not your own hosted domain. But nobody thinks they're spamming. The only thing that anybody ever checks is whether or not the reverse DNS matches the forward DNS.

You seem to misunderstand what "forward" and "reverse" DNS means.

Forward DNS is a mapping from "name" to IP address.
Reverse DNS is a mapping from IP address to name.

When your SMTP server connects to a remote machine, the remote machine only knows your IP address. Let's say it's 1.2.3.4. So then it does a reverse lookup and gets a name; "foo.example.com". Now that name could be spoofed, so a good program will then do a forward lookup for that name; it will look up "foo.example.com". If the result is the original IP address (1.2.3.4) then the remote machine can be confident that the name is correct. If the result doesn't match then there's a problem; this might be a spoofing attempt, so refuse the mail.

Note that none of this refers to the actual content of the email; it's just doing sanity checking on the IP<->DNS lookups.

NOTE: this is also different to "MX" records; nothing says that your incoming mail gateway has to be the same as your outgoing mail gateway.

No program should care that mail from arklinux is sent from a pikiisconfused domain name. UNLESS you have an SPF record that says otherwise. By default no one has that SPF record, and by default no one should care. Anyone who does care is just wrong.

Talking of SPF, you could create an SPF record that explicity says that mail for arklinux is sent from pikiisconfused, and any client could use this to be even more confident the mail isn't forged.

Both my domain and the other domain point to the same IP, but the IP only points to one domain. So the other domain fails the sanity check, correct? Then it gets rejected.

Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that.

No. Because the client only sees the IP address, gets the pikiisconfused name and only looks that up. It never cares about the forward DNS entry for the other domain.

"IP -> rDNS -> pikiisconfused -> IP" is the process.

Quote:

Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that.

No. Not even no, but "hell no". That's not even touching reality.

Author:	Piki [ Sat Oct 08, 2011 10:43 am ]
Post subject:	Two Reverse DNS entries?
I'm currently hosting two sites on my Linode, each with it's own domain. The problem is that as far as I can tell, only one reverse DNS can be used, which means one domain can be entered as the reverse DNS. That leaves the other site open to look like a spam site, and can open both sites to complaint. Is there a way to tell the reverse DNS that my Linode's IP belong to two domains?

Author:	hoopycat [ Sat Oct 08, 2011 11:17 am ]
Post subject:	Re: Two Reverse DNS entries?
Piki wrote: I'm currently hosting two sites on my Linode, each with it's own domain. The problem is that as far as I can tell, only one reverse DNS can be used, which means one domain can be entered as the reverse DNS. That leaves the other site open to look like a spam site, and can open both sites to complaint. Is there a way to tell the reverse DNS that my Linode's IP belong to two domains? While more than one PTR record is possible and allowed by RFC, it's ambiguous and Linode (and many others, I suppose) only let you have one. Consider using a third, neutral domain for that (and as the base for your system hostname), or stick with the default .members.linode.com.

Author:	Piki [ Sat Oct 08, 2011 2:25 pm ]
Post subject:
Another domain wouldn't work. The second site "officially" isn't mine, I'm just a volunteer who offered up my Linode to get away from the old donated one (our leader can't afford a "real" host), and the default would still make it look like potential spam. I'm currently using the second site as the reverse DNS since my site isn't quite ready, would just be nice if I could do it without attaching an extra IP to my Linode and reconfiguring everything.

Author:	glg [ Sat Oct 08, 2011 2:54 pm ]
Post subject:
Piki wrote: Another domain wouldn't work. The second site "officially" isn't mine, I'm just a volunteer who offered up my Linode to get away from the old donated one (our leader can't afford a "real" host), and the default would still make it look like potential spam. I'm currently using the second site as the reverse DNS since my site isn't quite ready, would just be nice if I could do it without attaching an extra IP to my Linode and reconfiguring everything. Think about what you're asking for a little more. How exactly are you expecting the DNS servers to know which domain the requester "wants" to see when querying the IP?

Author:	sweh [ Sat Oct 08, 2011 3:13 pm ]
Post subject:	Re: Two Reverse DNS entries?
Piki wrote: I'm currently hosting two sites on my Linode, each with it's own domain. The problem is that as far as I can tell, only one reverse DNS can be used, which means one domain can be entered as the reverse DNS. That leaves the other site open to look like a spam site, and can open both sites to complaint. Is there a way to tell the reverse DNS that my Linode's IP belong to two domains? Anyone who things that this configuration would be "spam" is badly misunderstanding the nature of DNS. It's normal for mail to come from a host that doesn't have the originating name in the rDNS. As long as the rDNS has a valid forward record that matches (eg IP 1.2.3.4 -> foo.example.com, and foo.example.com -> 1.2.3.4) then it's good.

Linode Forum https://forum.linode.com/

Two Reverse DNS entries? https://forum.linode.com/viewtopic.php?f=19&t=7888	Page 1 of 2

Author:	Piki [ Sat Oct 08, 2011 3:34 pm ]
Post subject:
glg wrote: Think about what you're asking for a little more. How exactly are you expecting the DNS servers to know which domain the requester "wants" to see when querying the IP? I never said I expected that. It would be impossible. A psychic computer is just as implausible (if not more) as the cat bumping my arm and my shirt spontaneously combusting. There's nothing to think about here with what I'm asking: someone queries the IP, it shows both domains. The requester decides for himself which he wants to look at out of the two entries shown.

Author:	Piki [ Sat Oct 08, 2011 3:39 pm ]
Post subject:	Re: Two Reverse DNS entries?
sweh wrote: Anyone who things that this configuration would be "spam" is badly misunderstanding the nature of DNS. It's normal for mail to come from a host that doesn't have the originating name in the rDNS. As long as the rDNS has a valid forward record that matches (eg IP 1.2.3.4 -> foo.example.com, and foo.example.com -> 1.2.3.4) then it's good. It's not spam, but it looks like spam, which is what I'm after here. People might think that someone is using one domain as a relay for mail coming from the other, and there are actually mail servers that are setup to check that as a part of their spam filters.

Author:	sweh [ Sat Oct 08, 2011 5:27 pm ]
Post subject:	Re: Two Reverse DNS entries?
Piki wrote: sweh wrote: Anyone who things that this configuration would be "spam" is badly misunderstanding the nature of DNS. It's normal for mail to come from a host that doesn't have the originating name in the rDNS. As long as the rDNS has a valid forward record that matches (eg IP 1.2.3.4 -> foo.example.com, and foo.example.com -> 1.2.3.4) then it's good. It's not spam, but it looks like spam, which is what I'm after here. People might think that someone is using one domain as a relay for mail coming from the other, and there are actually mail servers that are setup to check that as a part of their spam filters. No, it doesn't look like spam. It's normal. Anyone who thinks that mail from example.com must come from a mail server with "example.com" in the rDNS is wrong, and their "anti-spam" will block many many legitimate messages. No one with half a clue would implement such a test in their mail server.

Author:	hybinet [ Sat Oct 08, 2011 6:28 pm ]
Post subject:
@sweh is right. There is absolutely no need for your reverse DNS to match the domain(s) you're hosting. Ever used Google Apps? Google sends all of those e-mails from IP addresses whose reverse DNS point to something.google.com, not your own hosted domain. But nobody thinks they're spamming. The only thing that anybody ever checks is whether or not the reverse DNS matches the forward DNS. Why? Because this simple check (along with other DNS-based checks such as SPF and DKIM) eliminates 99% of spam originating from virus-infected home PCs. If any spam gets through nowadays, it was probably sent from a compromised account at one of the free e-mail service providers (e.g. "I got stranded in Europe" frauds), or from a machine that actually has its DNS entries set up properly.

Author:	Piki [ Sat Oct 08, 2011 6:58 pm ]
Post subject:
hybinet wrote: @sweh is right. There is absolutely no need for your reverse DNS to match the domain(s) you're hosting. Ever used Google Apps? Google sends all of those e-mails from IP addresses whose reverse DNS point to something.google.com, not your own hosted domain. But nobody thinks they're spamming. The only thing that anybody ever checks is whether or not the reverse DNS matches the forward DNS. That seems a bit contradictory to me. I don't need to have the reverse and forward DNS entries match, but people check this for spam? Then why wouldn't I need to have them matching? If I do use Google Apps, the reverse DNS won't match my forward DNS, and it will look like I'm using Google to relay all my spam so that they aren't tracked back to me. Google, however, will be able to detect this and I will get in trouble anyway (provided I'm not using Google Apps). Of course, if I see email being sent from the other domain on my Linode, I'll know it's legit. The problem is that if the reverse DNS matches my domain and not theirs and we send out an email to someone who's smart enough to check but not smart enough to check to see they're both on the same machine, they will get suspicious -- "The email was sent from arklinux.org but I traced it back to pikiisconfused.com! What gives?!" The same goes for if my reverse DNS points to the other domain and I send an email from mine.

Author:	sweh [ Sat Oct 08, 2011 7:12 pm ]
Post subject:
You seem to misunderstand what "forward" and "reverse" DNS means. Forward DNS is a mapping from "name" to IP address. Reverse DNS is a mapping from IP address to name. When your SMTP server connects to a remote machine, the remote machine only knows your IP address. Let's say it's 1.2.3.4. So then it does a reverse lookup and gets a name; "foo.example.com". Now that name could be spoofed, so a good program will then do a forward lookup for that name; it will look up "foo.example.com". If the result is the original IP address (1.2.3.4) then the remote machine can be confident that the name is correct. If the result doesn't match then there's a problem; this might be a spoofing attempt, so refuse the mail. Note that none of this refers to the actual content of the email; it's just doing sanity checking on the IP<->DNS lookups. NOTE: this is also different to "MX" records; nothing says that your incoming mail gateway has to be the same as your outgoing mail gateway. No program should care that mail from arklinux is sent from a pikiisconfused domain name. UNLESS you have an SPF record that says otherwise. By default no one has that SPF record, and by default no one should care. Anyone who does care is just wrong. Talking of SPF, you could create an SPF record that explicity says that mail for arklinux is sent from pikiisconfused, and any client could use this to be even more confident the mail isn't forged.

Author:	Piki [ Sat Oct 08, 2011 7:29 pm ]
Post subject:
sweh wrote: You seem to misunderstand what "forward" and "reverse" DNS means. Forward DNS is a mapping from "name" to IP address. Reverse DNS is a mapping from IP address to name. Already understood. Quote: When your SMTP server connects to a remote machine, the remote machine only knows your IP address. Let's say it's 1.2.3.4. So then it does a reverse lookup and gets a name; "foo.example.com". Now that name could be spoofed, so a good program will then do a forward lookup for that name; it will look up "foo.example.com". If the result is the original IP address (1.2.3.4) then the remote machine can be confident that the name is correct. If the result doesn't match then there's a problem; this might be a spoofing attempt, so refuse the mail. Note that none of this refers to the actual content of the email; it's just doing sanity checking on the IP<->DNS lookups. Both my domain and the other domain point to the same IP, but the IP only points to one domain. So the other domain fails the sanity check, correct? Then it gets rejected. Quote: NOTE: this is also different to "MX" records; nothing says that your incoming mail gateway has to be the same as your outgoing mail gateway. Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that. Quote: No program should care that mail from arklinux is sent from a pikiisconfused domain name. UNLESS you have an SPF record that says otherwise. By default no one has that SPF record, and by default no one should care. Anyone who does care is just wrong. Talking of SPF, you could create an SPF record that explicity says that mail for arklinux is sent from pikiisconfused, and any client could use this to be even more confident the mail isn't forged. That starts into a new topic I have yet to explore. I'm still confused about the initial issue, though.

Author:	sweh [ Sat Oct 08, 2011 7:35 pm ]
Post subject:
Piki wrote: Both my domain and the other domain point to the same IP, but the IP only points to one domain. So the other domain fails the sanity check, correct? Then it gets rejected. No. Because the client only sees the IP address, gets the pikiisconfused name and only looks that up. It never cares about the forward DNS entry for the other domain. "IP -> rDNS -> pikiisconfused -> IP" is the process. Quote: Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that. No. Not even no, but "hell no". That's not even touching reality.

Author:	Piki [ Sat Oct 08, 2011 7:39 pm ]
Post subject:
After rereading, I think I'm understanding now. Took me a moment. I gotta not be reading and talking at the same time, especially not tired I was getting confused at: Quote: When your SMTP server connects to a remote machine, the remote machine only knows your IP address. Let's say it's 1.2.3.4. So then it does a reverse lookup and gets a name; "foo.example.com". Now that name could be spoofed, so a good program will then do a forward lookup for that name; it will look up "foo.example.com". If the result is the original IP address (1.2.3.4) then the remote machine can be confident that the name is correct. If the result doesn't match then there's a problem; this might be a spoofing attempt, so refuse the mail. Note that none of this refers to the actual content of the email; it's just doing sanity checking on the IP<->DNS lookups. For some reason, my mind was switching "domain" and "IP" at the start of the paragraph.

Page 1 of 2	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/

Author:	Piki [ Sat Oct 08, 2011 7:41 pm ]
Post subject:
sweh wrote: No. Because the client only sees the IP address, gets the pikiisconfused name and only looks that up. It never cares about the forward DNS entry for the other domain. "IP -> rDNS -> pikiisconfused -> IP" is the process. I was reading your post wrong. Quote: Quote: Most mail servers, to my understanding, prepend either mail or mail2 to their domain for sending and receiving mail, so hopefully the servers would be smart enough to pick up on that. No. Not even no, but "hell no". That's not even touching reality. I remember reading that in a couple places (I think I saw that on this forum somewhere, will have to dig out the post).