ReverseDNS

During a recent attack by SoBig.F, we thought our mail server was protected. We found out later that it wasn't as well-protected as we thought. Over the past few days, we have found that several ISPs put us on some type of block list that didn't allow our mail through. Most of the ISPs have been understanding, but a couple haven't been so nice. One told us that the only way it would allow the mail through would be for us to enable reverse DNS. What is reverse DNS? 

Where DNS translates a fully qualified domain name into an IP address that routers can use to get from Point A to Point B, reverse DNS allows a receiving mail server to go back to the authoritative DNS servers for a domain and verify that the host trying to send mail actually exists at that domain and with the IP address claimed by the sender. An authoritative DNS server is recognized as being the ultimate qualified source of DNS information for a given domain. Not just any DNS server can provide this information, only those that are recognized as being authoritative for the domain.

A reverse DNS zone on a DNS server looks very similar to a regular zone except you'll see mostly PTR (pointer) records that should match on a one-to-one basis each record that will be in the forward or regular DNS zone(s) on your DNS server.

The name of the zone will be a little different, too. Instead of mycompany.com, it will look something like part of the IP address range assigned by your ISP, but in reverse followed with IN-ADDR.ARPA.

There are two ways you can handle reverse DNS. If your ISP will delegate reverse DNS lookup to your servers, you can handle it yourself. If not, you will need to give your ISP the information necessary so it can create the reverse DNS zone on its servers.

If you're going to do your own reverse DNS, consult the documentation for the DNS server software you're using to see what necessary steps are needed to properly implement reverse DNS.