FCrDNS, or forward-confirmed reverse DNS, or full-circle reverse DNS, is when an IP address has both forward (name -> IP) and reverse (IP -> name) DNS entries that match each other. The process is outlined in RFC 1912, especially section 2.1. First a reverse DNS lookup is done to get a list of PTR records (usually there is only one, but there can be more than one). For each domain name mentioned in the PTR records, a regular DNS lookup is done to see if any of the A or AAAA records match the original IP address. If there is a forward DNS lookup that confirms one of the names given by the reverse DNS lookup, then the FCrDNS check passes.
1.2.3.4 --- PTR Record ---> hostname.example.com hostname.example.com --- A Record ---> 1.2.3.4
A FCrDNS verification can create a weak form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for whitelisting purposes because spammers and phishers can not usually by-pass this verification when they use zombie computers to forge the domains. It is considered good practice in general that all rDNS should be forward confirmed. This is especially true for the IP addresses used by email servers to help prevent outgoing email from being wrongly rejected as spam.
A FCrDNS verification can also establish that the network owner and the domain owner both have at least a very basic understanding of the RFCs and can correctly configure things. That is, they have followed the instructions in RFC 1033 on "Adding a host". There is a statistical correlation between machines that send spam and machines that fail FCrDNS checks, but correlation does not imply causation and many network owners simply can not configure the rDNS because their upstream providers either can't or won't delegate the rDNS.[citation needed]
Uses
- Most e-mail mail transfer agents (server software) use a FCrDNS verification and if there is a valid domain name, put it into the "Received:" trace header field.
- Some e-mail mail transfer agents will perform FCrDNS verification on the domain name given on the SMTP HELO and EHLO commands. This can violate RFC 2821 and so e-mail is usually not rejected by default.
- The Sender Policy Framework e-mail anti-forgery system uses a FCrDNS check in its "ptr:" mechanism.
- Some e-mail spam filters will use FCrDNS checks to try to detect forged domain names or for whitelisting purposes, for example, RFC 5451.
- SpamCop uses the FCrDNS check, which sometimes causes problems for SpamCop users who are also customers of internet service providers who do not provide properly matching DNS and rDNS records for their mail servers. [1] [2]
- Some FTP, Telnet and TCP Wrapper servers will perform FCrDNS checks.[citation needed]
External links
This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)
