Reverse DNS

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What would be the effect of switching off reverse DNS on a small office network with one 2003 server hosting Domino and using lotus notes as mail server?

Please advise. Feel free to ask questions if you need more to answer this one!!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Reverse DNS is only used the get the name if you feed it the IP address. I do not think it would have any effect to Lotus Notes, but I'm no Notes expert.

 

Some settings on things like SSH require reverse DNS for anti-spoofing, and some mail servers also need it or they will reject incoming emails.

Harry.

 

Probably slight, but not knowing what all applications are used there it's hard to know.

It's easy enough to turn off and then back on again so it shouldn't hurt too much to try it sometime when most people aren't around. If you know what all applications are used on your network, and how each of them are used, it should be a piece of cake to test, and then if something breaks, to restore the functionality.

 

Only if your email servers are set up to use internal dns servers. They can be pointed elsewhere for DNS services if they aren't dependent on something like AD.

I wasn't aware of the SSH dependency on reverse DNS though.

 

See that's what i'm afraid of. I know that the company in question had a lot of difficulty with spammers, spoofing etc, and so my old manager changed the settings on the mail server to reduce the problem, or at least identify potential nasties - I think he used some kind of domino setting that may have required the reverse DNS to be on...

Seems like a little research will be required...

...then, as ffreeloader suggests, I can always test it at a quiet time - prob next week will be good!!

Thank you.

 

I'd be a little curious about that too, although running reverse dns is a security problem if your internal dns servers are accessible from the internet.

 

Just incase anyone is interested, I think i've found the answer:

From reading on the Notes forums, It appears that enabling reverse DNS for a domino mail server helps to greatly reduce the risk of SPAM

Problem is that innocent domains can get blocked also (which is why i'm querying this - as my customer has one client who they can't send to - emails just get stopped and time out due to PTR record not being located...and they called to say they wanted to be able to send to their client)....but unfortunately it looks like there is no way to "have your cake and eat it" - it's either have the reverse DNS on, and risk not being able to send to certain addresses, or have it switched off and receive ridiculous amounts of junk mail!!! See below:


LO23291: ENHANCEMENT REQUEST: OPTION TO BYPASS REVERSE DNS LOOKUP ON SPECIFIC DOMAINS.

APAR status
Closed as fixed if next.

Error description
To avoid SPAM mails, customer enabled reverse DNS lookup.
Now mails are not received from internal FAX machine.
If customer disable reverse DNS lookup then they receive SPAM
mails.

Currently Domino allows the option to check domains for reverse
DNS. This is
helpful in blocking SPAM and unwanted email. However, there are
a number of
valid domains that may run into DNS problems, and messages are
rejected because
a PTR record cannot be located.

It would be helpful to include a field in the server
configuration document, to
specify domains which can bypass a reverse DNS lookup. With
this, customers
will be able to receive mail from recognized domains, regardless
if they have a
PTR record, while still blocking other mail that could be SPAM.
Local fix
Currently there is no workaround within Domino.
Problem summary
Problem conclusion
Temporary fix
Comments
Too late to fix in 6.5.x as 6.5.6 already shipped and is the las
APAR information
APAR number LO23291
Reported component name LOTUS NOTES/DOM
Reported component ID 5724E7000
Reported release 654
Status CLOSED FIN
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2007-08-14
Closed date 2007-09-11
Last modified date 2007-09-11

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
UNKNOWN

Publications Referenced


Fix information

Applicable component levels
R654 PSN UP

The clients are getting loads of junk as it is, and the notes forums say that the reverse DNS is very effective in aiding the blocking of SPAM, so I wouldn't want to switch it off just yet!!


....Solution: Our MD is setting the client up with message labs in the next week or so, so I guess the best option is to wait until that is in place, then turn off the reverse DNS and hopefully the filter will be thorough enough that I can switch off the reverse DNS...then fingers crossed, nothing else will be affected!!!

 

The IT department for a lady who my customer is (unsuccessfully) trying to send / receive emails to/from has said that the reason they are timing out is because of the reverse DNS being switched on at my customers end. They have basically told my customer to get me to switch it off ...

 

Theirs is 6.5. Thank you Sparks - will take a look...

 

I've never used Notes so don't know if the following will work with it, but have you tried subscribing to services like Spamhaus and other similar reputable free dnsbl services like it? They work very well with Exim. I'd say I'm blocking in excess of 98% of the spam that hits my email server through the use of free services.

 

Good point, Sparky.