Forward-confirmed reverse DNS

From Citizendium
Jump to: navigation, search
This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

This article is a subtopic in a group of articles under Email system. We assume the reader understands the parent article, its terminology, and the roles of different agents in the system. The reader should also be familiar with the basics of Email authentication and with the article on Reverse DNS.

Forward-Confirmed reverse DNS (FCrDNS) is an email authentication method that uses the source IP address in a TCP connection to verify a domain name. A receiver does a Reverse DNS query on the IP address to learn the "IP name" assigned to that address by the network owner. If a normal forward DNS query on that name gives a matching IP address, then we have strong assurance that the network owner and the domain owner agree that the IP address and domain name are connected.

Limitations

FCrDNS says nothing about the authorization of an IP address to send email. There must be some external information, perhaps a "PTR term" in an SPF record, saying in effect "Trust our PTR records. We're not as sloppy as everyone else." Otherwise, a Pass result might only mean that a network provider set up PTR records for all addresses in his entire IP allocation, including dynamic addresses assigned to home computers. Often these network owners are large telecommunication companies, and not responsive to domain owners who want to use their own domain names in PTR records.

The FCrDNS method is one of the least reliable of the email authentication methods. It can provide robust authentication, but seldom does because of the confusion and miscommunication surrounding PTR records. Few receivers rely on FCrDNS as having any value by itself. It is mostly used as a heuristic check along with other inputs to a statistical analysis by a spam filter.

How it works

Here are the steps for a receiver after getting a TCP connection request from a transmitter at IP address 98.136.44.63.
1) Do a reverse DNS query on the IP address.

$ dig ptr 63.44.136.98.in-addr.arpa
...
;; ANSWER SECTION:
63.44.136.98.in-addr.arpa.  1200  IN  PTR  smtp108.prem.mail.sp1.yahoo.com.
...

2) Do a normal DNS query on the resulting "IPname".

$ dig a smtp108.prem.mail.sp1.yahoo.com
...
;; ANSWER SECTION:
smtp108.prem.mail.sp1.yahoo.com.  1800  IN  A  98.136.44.63
...

Explanatory notes

The text forms shown here are from a terminal session using the BIND utility 'dig'. In a real email receiver, the queries and responses would be packets of the same data in a compact binary form.

in-addr.arpa is the branch of DNS holding all reverse query information. ARPA was the US government agency which started the Internet. The registry in now under the control of ICANN.

PTR is a "pointer" record in DNS. It "points" an address to a name, the opposite of an A record, which points a name to an address.

The numbers in the ptr query are reversed, because of the way authority is delegated from the largest blocks to smaller blocks of IP addresses. In the query, numbers are just treated as normal characters, so '63' is a subdomain of '44', which is a subdomain of '136', etc.

The second step is essential for authentication. Without this a crooked domain owner could claim to be yahoo.com by simply publishing an A record with Yahoo's IP address.