FCrDNS
Encyclopedia
FCrDNS, or forward-confirmed reverse DNS, or full-circle reverse DNS, also known as iprev, is a situation where a given IP address
has forward (name-to-address) and reverse (address-to-name) DNS
entries that match each other. The process of checking this is as follows (described as a Proposed Standard by RFC 5451, section 3; and previously outlined in RFC 1912, especially section 2.1):
DNS query type PTR on 192.0.2.4 --> returns PTR-record="hostname.example.com" (1 result)
DNS query type A on "hostname.example.com" --> returns A-record=192.0.2.4 (1 result)
Matches original IP address, therefore check passes
and phishers
can not usually by-pass this verification when they use zombie computer
s to forge the domains. It is considered good practice in general that all rDNS should be forward confirmed. This is especially true for the IP addresses used by email servers to help prevent outgoing email from being wrongly rejected as spam.
A FCrDNS verification can also establish that the network owner and the domain owner both have at least a very basic understanding of the RFCs and can correctly configure things. That is, they have followed the instructions in RFC 1033 on "Adding a host". There is a statistical correlation between machines that send spam and machines that fail FCrDNS checks, but correlation does not imply causation
and many network owners simply can not configure the rDNS because their upstream providers either can't or won't delegate the rDNS..
However, zombie computers infected with spambots will not be able to fake the reverse DNS to make it match. The main reason behind the correlation between spamming machines and failing FCrDNS is that it generally cannot be faked or overridden by a spambot infested machine, and thus this check is very effective in controlling spam, underwritten and justified by supporting RFCs.
Common DNS misconfigurations are outlined in RFC 1912, of particular note is section 2.1 that states, under the heading "Inconsistent, Missing or Bad Data", "Make sure your PTR and A records match." Those ISPs that will not or cannot configure reverse DNS will generate problems for hosts on their networks, by virtue of RFCs being contravened when communicating with hosts that do follow the RFC guidelines. From a technical perspective reverse DNS is trivial to implement correctly and there is no reason not to implement it for hosts providing regular internet services. ISPs that cannot or will not provide reverse DNS ultimately will be limiting the ability of their client base to use internet services they provide effectively and securely.
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
has forward (name-to-address) and reverse (address-to-name) DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
entries that match each other. The process of checking this is as follows (described as a Proposed Standard by RFC 5451, section 3; and previously outlined in RFC 1912, especially section 2.1):
- First a reverse DNS lookupReverse DNS lookupIn computer networking, reverse DNS lookup or reverse DNS resolution is the determination of a domain name that is associated with a given IP address using the Domain Name System of the Internet....
(PTR query) is performed on the IP address, which returns a list of zero or more PTR records. - For each domain name returned in the PTR query results, a regular 'forward' DNS lookup (type A or AAAA query) is then performed on that domain name.
- Any A or AAAA record returned by the second query is then compared against the original IP address, and if there is a match, then the FCrDNS check passes. Example:
DNS query type PTR on 192.0.2.4 --> returns PTR-record="hostname.example.com" (1 result)
DNS query type A on "hostname.example.com" --> returns A-record=192.0.2.4 (1 result)
Matches original IP address, therefore check passes
Network verity
A FCrDNS verification can create a weak form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for whitelisting purposes because spammersSpam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
and phishers
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
can not usually by-pass this verification when they use zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s to forge the domains. It is considered good practice in general that all rDNS should be forward confirmed. This is especially true for the IP addresses used by email servers to help prevent outgoing email from being wrongly rejected as spam.
A FCrDNS verification can also establish that the network owner and the domain owner both have at least a very basic understanding of the RFCs and can correctly configure things. That is, they have followed the instructions in RFC 1033 on "Adding a host". There is a statistical correlation between machines that send spam and machines that fail FCrDNS checks, but correlation does not imply causation
Correlation does not imply causation
"Correlation does not imply causation" is a phrase used in science and statistics to emphasize that correlation between two variables does not automatically imply that one causes the other "Correlation does not imply causation" (related to "ignoring a common cause" and questionable cause) is a...
and many network owners simply can not configure the rDNS because their upstream providers either can't or won't delegate the rDNS..
However, zombie computers infected with spambots will not be able to fake the reverse DNS to make it match. The main reason behind the correlation between spamming machines and failing FCrDNS is that it generally cannot be faked or overridden by a spambot infested machine, and thus this check is very effective in controlling spam, underwritten and justified by supporting RFCs.
Common DNS misconfigurations are outlined in RFC 1912, of particular note is section 2.1 that states, under the heading "Inconsistent, Missing or Bad Data", "Make sure your PTR and A records match." Those ISPs that will not or cannot configure reverse DNS will generate problems for hosts on their networks, by virtue of RFCs being contravened when communicating with hosts that do follow the RFC guidelines. From a technical perspective reverse DNS is trivial to implement correctly and there is no reason not to implement it for hosts providing regular internet services. ISPs that cannot or will not provide reverse DNS ultimately will be limiting the ability of their client base to use internet services they provide effectively and securely.
Uses
- Most e-mail mail transfer agentMail transfer agentWithin Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
s (server software) use a FCrDNS verification and if there is a valid domain name, put it into the "Received:" trace header field. - Some e-mail mail transfer agents will perform FCrDNS verification on the domain name given on the SMTP HELO and EHLO commands. This can violate RFC 2821 and so e-mail is usually not rejected by default.
- The Sender Policy FrameworkSender Policy FrameworkSender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
e-mail anti-forgery system uses a FCrDNS check in its "ptr:" mechanism. - Some e-mail spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
filters use FCrDNS checks as an authentication method for domain names or for whitelisting purposes; for example, according to RFC 5451. - SpamCopSpamCopSpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...
uses the FCrDNS check, which sometimes causes problems for SpamCop users who are also customers of internet service providerInternet service providerAn Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s who do not provide properly matching DNS and rDNS records for their mail servers. http://forum.spamcop.net/forums/index.php?act=findpost&pid=36027 http://forum.spamcop.net/forums/index.php?act=findpost&pid=41615 - Some FTP, TelnetTELNETTelnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...
and TCP WrapperTCP WrapperTCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on operating systems such as Linux or BSD...
servers will perform FCrDNS checks. - Some IRC Servers perform FCrDNS checks to prevent abuse.
External links
- Considerations for the use of DNS Reverse Mapping (Internet draftInternet DraftInternet Drafts is a series of working documents published by the IETF. Typically, they are drafts for RFCs, but may be other works in progress not intended for publication as RFCs. It is considered inappropriate to rely on Internet Drafts for reference purposes...
) - Forward Confirmed RDNS testing tool
- IPv4/IPv6 FCrDNS check tool