Reverse Lookup Problems

A lot of services, especially on UNIX, but also security-sensitive services on other platforms, try to perform reverse lookups of the origin hosts of all incoming connections. If the lookup fails, the service might deny the connection on the grounds that it wants to know to whom it talks, or because it simply is not allowed to talk to strangers.

But, even if the query works, the service might deny the connection. A common UNIX security mechanism, known as tcp wrappers or tcpd,performs a lot of checking. One of the checks it performs is whether the reverse lookup matches the forward lookup. If the IP address 10.35.129.219 has a PTR record saying its name is foo.penguin.bv, and foo.penguin.bv has an A record saying 10.35.129.218, which is a different address, the connection will be denied. It is usual practice that all services run out of inetd on UNIX runs under tcpd. This includes telnet, ftp, rsh, rlogin, pop-3, and imap. It is not usual to run Web servers under tcpd.

For these two first problems, the cure is to have correct reverse zone setups. Not only must you ensure that your setup is correct, but you must also ensure that the reverse zones are delegated correctly. Check the section before this one for more information about delegation problems.

A third scenario is that telnet, rsh, rlogin, and similar services will attempt to perform a reverse lookup as described previously, but that because of network problems, or simply because name service has been broken, the query is not answered and the connecting party will have to wait for DNS to complete the query or to time out. When the query is finally timed out, the connection might be denied, even if it would have been accepted if DNS was working, depending on the host configuration.