How does reverse DNS add security?

Question

There are plenty of good answers here about how reverse DNS works, but why is it used?

It seems that all reverse DNS proves is that the person sending the email has access to the DNS records for the IP. For an end user on a residential connection I find outgoing mail getting blocked by the SMTP server because there is no reverse DNS record. Since I am not trying to spoof some other domain, but using the domain for the SMTP server, how does this check add any security? It seems like the first check should be if there is a large volume of mail coming from the IP before considering rejecting.

Does this answer your question? [How does a Reverse DNS lookup work with regards to spam filters?](https://serverfault.com/questions/45272/how-does-a-reverse-dns-lookup-work-with-regards-to-spam-filters) — Bert, May 02 '20 at 23:45
@bert - thanks, but these add more clarity for the server sending the email out. I am referring, perhaps not clearly, to the originating client trying to send an email to the SMTP server to be sent in the first place. For example an ISP that offers email checking for a RDNS entry upon trying to send an email through smtp. ISP.com with an account@isp.com. — Origin, May 03 '20 at 00:04

score 2 · Accepted Answer · edited Jun 29 '22 at 16:03

It doesn't add security - it is a legacy anti-spam check, and a largely pointless one.

It could be argued that it shows that the system administrators are minimally competent and has control of reverse DNS. It historically indicated that the sender was more likely to be a Message Transfer Agent (MTA) rather than a Mail User Agent (MUA). Since the process requires a reverse, then a forward lookup of the reverse lookup, and since reverse DNS has now been fairly fully mapped out, it's not a good predictor of legitimacy anymore - but remember that SMTP is a very old protocol, and these kinds of tricks used to be helpful before SPF, DKIM etc.

This goes back to 1999 - RFC2505 - which says (paragraph 1.4))

     When we suggest use of FQDNs rather than IP addresses       this is because
     FQDNs are intuitively much easier to use. However, all such usage
     depends heavily on DNS and .IN-ADDR.ARPA (PTR) information. Since it
     is fairly easy to forge that, either by false cache information
     injected in DNS servers or spammers running their own DNS with false
     information in them, host and domain names must be used with care,
     e.g. verified so that the translation address->name corresponds to
     name->address. With Secure DNS, RFC2065, [7], things will improve,
     since spoofing of .IN-ADDR.ARPA will no longer be possible.

madacoda · Answer 2 · 2020-05-04T01:59:38.303

-1

Reverse DNS proves that the person who owns the IP address agrees that the DNS record should be pointing to it.

Anyone can create a host record hello.mydomain.ca and point to any IP address they want, spoofing a website. Let's say I point to the IP of amazon.com.

Now granted, there are many other checks in place these days, especially if you're using SSL certificates on the original site.

But a reverse DNS would show the true owner/domain of that website. There may be 100 DNS A records pointing to the same IP, but the reverse DNS shows you only the correct A record.

Edit : Since I disagree with davidgo but cannot yet comment on his post.

David states that Reverse DNS is outdated, no longer needed, etc. This is completely wrong.

If you're running Email servers and do not set up PTR records, you can expect Gmail, Yahoo, Microsoft to mark emails from your domain as Spam. See here for one example.
Logging and Monitoring systems which see traffic from IP Addresses will use Reverse DNS to put human-readable names to IP addresses.
Day-to-day troubleshooting by Network and Security admins will rely on Reverse DNS to once again map IP addresses to hostnames, application names, etc.

In my line of work it is used every day. If David wants to assume the world has left Reverse DNS behind he can do so. But he shouldn't spout out such nonsense without evidence.

If Reverse DNS is useless, there would be an RFC that outlines the death of Reverse DNS. There is no such thing.

edited May 04 '20 at 01:59

answered May 03 '20 at 09:07

madacoda

215
1
9

This is actually false. The check is forward DNS to reverse DNS to a matching forward DNS. This is "required" so you can have virtual servers sharing a single IP. Reverse DNS historically hinted at the true owner, but not necessarily any more. – davidgo May 03 '20 at 09:27
How is it 'false'? If I want to cross check a DNS entry I will just check if the PTR record matches. I think you're oversimplifying it to a single use case with virtual servers. And without any evidence you're claiming Reverse DNS is useless or not needed any more. That's a pretty bold statement to make. – madacoda May 04 '20 at 01:47
Rebuttal - Reverse DNS does not imply the owner of the reverse DNS agrees the record should be pointing to it. Most DNS space is set up so an ISP has a zone set up with forward DNS for all IPs in a range. They have reverse PTRs pointing to those forward IPs. They actually give the IPs to others to use - possibly in a dynamic pool, and commonly in a pool which is controlled by another team. – davidgo May 04 '20 at 05:12
hello.mydomain.ca is (from a receiving mail servers POV) irrelevant. When my SMTP server connects to your mail server your server only knows the from IP address, it has no idea that I call my mail server hello.mydomain.ca. It reverses the IP my server connects from, gets a reverse DNS for that (which could be 1.ispclientblock.ISP.com for example), and then checks 1.ispclientblock.ISP.com resolves to the IP. All this tells us is the ISP has set up reverse DNS. This is hardly surprising in 2020. (Maybe in 1990 when I could advertise an IP block I didn't own it was helpful) – davidgo May 04 '20 at 05:21
Also, I did not say its no longer needed. I said it does not add security, and it is a largely pointless antispam check. If anything, I strongly implied that it was needed when I quoted the RFC which states its a best practice. I never claimed the world has left reverse DNS behind - I frequently make inferences based on it when doing traceroutes - but thats not relevant to its use in SMTP - which is what the question was about. Also - what percentage of your non-router reverse DNS queries (excluding RFC1918 ones) don't resolve? The lower this figure the less relevant the check. – davidgo May 04 '20 at 05:48

How does reverse DNS add security?

2 Answers2