On 19/07/2019 16:15, bryantz-p...@zktech.com wrote:
Thank you again for your response, and also thank you for yesterday
pointing me to the support in open policy for the group.
Currently I don't have any evidence as I have not done the packet
captures.
Two of the three outside parties complaining claim their servers look
up the authoritative name servers for the domain in the email address
and then their systems dig for reverse lookup against these name servers.
That makes no sense whatsoever. The nameservers hosting reverse DNS for
an address block need not be - indeed often are not - the nameservers
hosting the forward domain.
If they are doing what they describe (which I don't believe), then not
only is it totally broken, they would have had to write custom code to
implement this broken behaviour. I think you're probably getting
garbled information.
I presume though that the ultimate problem was that you were getting
some bounces to E-mails. Do you have any captures of those, i.e. the
5xx response line which the remote mailserver returned?
My guess is our previous servers were running bind and look like they
may have allow recursive lookups for any requests to the reverse zones.
If you were running an "open" recursor - one that accepts recursive
queries from networks that you don't control - then you were open to
huge abuse, e.g. you could have been used as a DoS amplifier.
In any case, recursive nameservers don't set the "Recursion Desired"
flag when making queries to authoritative nameservers.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users