North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: is reverse dns required? (policy question)
Steven Champeon wrote: on Wed, Dec 01, 2004 at 03:34:43PM -0500, [email protected] wrote:On Wed, 01 Dec 2004 15:02:19 EST, Steven Champeon said:Connect:dhcp.vt.edu ERROR:5.7.1:"550 go away, dynamic user"Given the number of options available at our end, I can hardly blame other sites for considering this a reasonable rule - I can't think of a scenario we can't fix at our end, as long as the user bothers calling our help desk and asks for help fixing it...Exactly. That's why rDNS has been so useful for us. We can either whitelist exceptions (such as customers of ISPs who have sucky customer service and technical support) or try to educate them. It's (generally) easy to change, it requires static assignment in order to work properly, as an indication of the purpose(s) to which a given IP is put, etc. Instead of having 6936 regexp patterns to match and parse one gazillion different reverse DNS encodings you could simply mark the reverse DNS entries of IP addresses that are actually *supposed* to be mail servers. Reverse zone file for 10.0.0.0/24: 1.0.0.10.in-addr.arpa. IN PTR mail.example.com. _send._smtp._srv.1.0.0.10.in-addr.arpa. IN TXT "1" About as simple as it gets. And much easier than figuring out for 99% of all IP addresses that they are not supposed to send mail directly. Just turn the tables and tag those that are mail servers. And it allows for a nice and graceful transition too. Nicely described here: ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-stumpf-dns-mtamark-03.txt -- Andre (On the other hand, anybody who's filtering certain address blocks because they're our DHCP blocks deserves to be shot, for all the usual reasons and then some..)Sure, but I can certainly understand why, for example, someone might block all of AOL's dynamic blocks port 25, at least. Or Charter's. Or Cox's, or any of the other sources of massive and constant abuse.Wouldn't catch 1.2.3.4.dhcp.vt.edu.example.com anyway.Yeah, but that has 'dhcp' at something other than the 3rd level.. ;)Fair enough :)Ah, I see what you're getting at. Well, I started maintaining my longI was more interested in whether a rule like '*.dhcp.*.{com|net|org|edu)' (blindly looking at the 3rd level domain and/or the 4th level for the two-letter TLDs) did any better/worse than having to maintain a list of 7K or so - are there enough variant forms that it's worth enumerating, or is it just that enumerating is easier than doing a wildcard?
|