On 19/07/2019 16:15, bryantz-p...@zktech.com wrote:
Thank you again for your response, and also thank you for yesterday pointing me to the support in open policy for the group. Currently I don't have any evidence as I have not done the packet captures.

Two of the three outside parties complaining claim their servers look up the authoritative name servers for the domain in the email address and then their systems dig for reverse lookup against these name servers.

That makes no sense whatsoever.  The nameservers hosting reverse DNS for an address block need not be - indeed often are not - the nameservers hosting the forward domain.

If they are doing what they describe (which I don't believe), then not only is it totally broken, they would have had to write custom code to implement this broken behaviour.  I think you're probably getting garbled information.

I presume though that the ultimate problem was that you were getting some bounces to E-mails.  Do you have any captures of those, i.e. the 5xx response line which the remote mailserver returned?


My guess is our previous servers were running bind and look like they may have allow recursive lookups for any requests to the reverse zones.

If you were running an "open" recursor - one that accepts recursive queries from networks that you don't control - then you were open to huge abuse, e.g. you could have been used as a DoS amplifier.

In any case, recursive nameservers don't set the "Recursion Desired" flag when making queries to authoritative nameservers.


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to