- Forward Confirmed reverse DNS
FCrDNS, or Forward Confirmed Reverse DNS, is when an
IP address has both forward (name -> IP) and reverse (IP -> name) DNS entries that match each other. The process is outlined in RFC 1912, especially section 2.1. First areverse DNS lookup is done to get a list of PTR records (usually there is only one, but there can be more than one). For each domain name mentioned in the PTR records, a regular DNS lookup is done to see if any of the A or AAAA records match the original IP address. If there is a forward DNS lookup that confirms one of the names given by the reverse DNS lookup, then the FCrDNS check passes.A FCrDNS verification can create a weak form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for
whitelist ing purposes because spammers and phishers can not usually by-pass this verification when they usezombie computer s to forge the domains.A FCrDNS verification can also establish that the network owner and the domain owner both have at least a very basic understanding of the RFCs and can correctly configure things. That is, they have followed the instructions in RFC 1033 on "Adding a host". There is a statistical correlation between machines that send spam and machines that fail FCrDNS checks, but
correlation does not imply causation and many network owners simply can not configure the rDNS because their upstream providers either can't or won't delegate the rDNS.Fact|date=March 2008Uses
* Most e-mail
mail transfer agent s (server software) use a FCrDNS verification and if there is a valid domain name, put it into the "Received:" trace header field.
* Some e-mail mail transfer agents will perform FCrDNS verification on the domain name given on the SMTP HELO and EHLO commands. This can violate RFC 2821 and so e-mail is usually not rejected by default.
* TheSender Policy Framework e-mail anti-forgery system uses a FCrDNS check in its "ptr:" mechanism.
* Somee-mail spam filters will use FCrDNS checks to try to detect forged domain names or forwhitelist ing purposes. [http://tools.ietf.org/html/draft-kucherawy-sender-auth-header]
*SpamCop uses the FCrDNS check, which sometimes causes problems for SpamCop users who are also customers ofinternet service provider s who do not provide properly matching DNS and rDNS records for their mail servers. [http://forum.spamcop.net/forums/index.php?act=findpost&pid=36027] [http://forum.spamcop.net/forums/index.php?act=findpost&pid=41615]
* SomeFTP ,Telnet andTCP Wrapper servers will perform FCrDNS checks.Fact|date=March 2008External links
* [http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations Considerations for the use of DNS Reverse Mapping] (
Internet draft )
* [http://ipadmin.junkemailfilter.com/rdns.php Forward Confirmed RDNS testing tool]
Wikimedia Foundation. 2010.