mail filtering based on reverse DNS
Bjørn Mork
bjorn at mork.no
Thu Aug 11 14:30:08 CEST 2011
Erik Kline <ek at google.com> writes:
>> Assumptions: Considering that most trojans will run from client
>> systems that probably won't have reverse DNS entries I think this
>> might help. MTA operators can add reverse DNS records in (almost?)
>> all cases if they really want, so they won't be permanently harmed by
>> this.
>>
>> Now, are those assumptions correct? I have heard ISPs talk about
>> using a (powerdns based) on-request-reverse-DNS-record-generator. If
>> we see that happening a lot such a policy might not make a big
>> difference. And I also heard knowledgable SMBs state that they can't
>> get reverse DNS at this point in time. So how many
>> organizations/people *are* harmed?
>
> Certainly I and others have thought of writing our own auto-PTR
> response generator for delegated reverse zones. I see now that the
> success of a PTR-verification scheme depends on ISPs *not* doing this
> for every J. Random Customer.
FWIW, such scripts are already readily available. E.g.
http://member.wide.ad.jp/~fujiwara/v6rev.pl
I work for an ISP and considered using something like that for those of
our end users without delegated reverse zones, but concluded that it
buys absolutely nothing. Any IPv6 address is just as pretty/readable as
anything auto generated like that. So we won't bother going down that
route.
Another interesting option for ISPs is a dynamic DNS solution for
Windows users (and anyone else who manages to use it). This is likely
to cover most end users and nearly 100% of the trojans... I really
don't know much about Windows, but if I've understood correct it will
attemt to do a signed DNS update to the SOA MNAME of the reverse zone.
Since we can split out reverse zones per user, this may allow us to set
up a dynamic DNS service for those users without much effort, with
necessary load distribution etc. It will still require the end users to
configure their PCs with domain names they can update forward DNS for.
I would also like to give users the option of defining static names for
a few of their addresses, or having their reverse zone delegated to name
servers of their choice. But this will of course only cover a few power
users and hardly change the big picture.
Time will show if we get around to doing this and if the market droids
will allow us...
Anyway. Dunno if we'll get there or if others will do the same, but you
may be looking at the possibility that most Windows PCs will have
correct DNS records.
Bjørn
More information about the ipv6-ops
mailing list