3.4 Reverse DNS lookup

Yes, it sounds counter intuitive. “Reverse DNS” (RDNS) is exactly what the name implies: given an IP address, what is its domain name?

Why do we need this?

This is mostly used by email servers for authenticating the origin of email messages. SMTP is somewhat of an old protocol, invented before security became a big issue. As such, SMTP itself has no built-in mechanism for a client to authenticate itself to a server. There is also no way to check the true origin of a message.

For example, let’s say I want to stir up some trouble in the organization called peace-r-us.com. I know certain email addresses of some individual of that organization from their websites or publicity literatures. And, as a bad person, I want to pretend to be love@peace-r-us.com and send a really inappropriate message to respect@peace-r-us.com. Also, assume that I cannot gain any access to any workstations/hosts in the domain peace-r-us.com.

It doesn’t matter. I can easily create an email message and forge the from: field to say love@peace-r-us.com! Then I send this message via SMTP through the SMTP relay of my ISP, and just wait and watch peace-r-us.com appear on the news.

But, a good system administrator at peace-r-us.com can easily foil my attempt. Almost all SMTP servers (postfix, sendmail and etc.) can set up to use RDNS for basic authentication. This is how it works.

• the SMTP relay of my isp, say 66.205.45.123 sends the forged message to the SMTP server of peace-r-us.com. The SMTP server of peace-r-us.com knows which IP originates the message (66.205.45.123).
• The SMTP server of peace-r-us.com analyzes the message (which is in plain text), and sees that the from: field is love@peace-r-us.com.
• The SMTP server of peace-r-us.com queries its DNS server and ask “what is the domain name corresponding to the IP address of 66.205.45.123?”
• The DNS server replies mail.myisp.com (which is the domain name of the SMTP server of my ISP). This does not match the domain name of the from: field of the message!
• The SMTP server decides that this message is questionable, and either block it, mark it as suspicious, or bounce it.

Note that if you want to handle your own email with your email server, you probably need to have an RDNS entry to talk to most SMTP servers. Without an RDNS entry, the SMTP server simply cannot get the domain name corresponding to an IP address, and many SMTP servers will discard messages coming from SMTP servers/relays with no RDNS entries.

Also, note that whoever sets up your DNS entries may not be able to set up RDNS entries. Typically, it is up to a hosting company that set up RDNS for you, and not all hosting companies offer this service. Obviously, not everyone can set up an RDNS entry due to the security sensitivity.

Some hosting companies/ISPs will set up default RDNS entries based on the IP address. Surewest, for example, sets up the RDNS entry of 66.205.135.41 as 040.135-205-66.ftth.swbr.surewest.net. This is sufficient for some SMTP servers (that there is an RDNS entry). However, some SMTP servers wants to match the RDNS name to the name of the from: field, which makes the default RDNS entries insufficient.

If your hosting company cannot set up an RDNS entry for your SMTP server or domain, you can subscribe to paid services to relay email. This kind of service is usually offered by companies that offer DNS services (which may or may not be the same as the domain name registrar!). This is the way it works.

• You tell the service your domain name, and the IP address of your SMTP server.
• The service registers an RDNS entry, but with the IP address of the service itself.
• You configure your SMTP server (software) to use IP relay to send out messages. Incoming messages are not affected.
• When your SMTP server needs to send a message, it is first sent to the IP relay.
• The IP relay sends the message to its destination SMTP server.
• The destination SMTP server looks up the RDNS entry of the IP address of the IP relay. It should match because the IP relay service provider registered the address of the IP relay to map to your domain name.