Forward Confirmed reverse DNS

From Wikipedia, the free encyclopedia

You have new messages (last change).

FCrDNS, or Forward Confirmed Reverse DNS, is when an IP address has both forward (name -> IP) and reverse (IP -> name) DNS entries that match each other. The process is outlined in RFC 1912, especially section 2.1. First a reverse DNS lookup is done to get a list of PTR records (usually there is only one, but there can be more than one). For each domain name mentioned in the PTR records, a regular DNS lookup is done to see if any of the A or AAAA records match the original IP address. If there is a forward DNS lookup that confirms one of the names given by the reverse DNS lookup, then the FCrDNS check passes.

A FCrDNS verification can create a weak form of authentication that there is a valid relationship between the owner of a domain name and the owner of the network that has been given an IP address. While weak, this authentication is strong enough that it can be used for whitelisting purposes because spammmers and phishers can not usually by-pass this verification when they use zombie computers to forge the domains.

A FCrDNS verification can also establish that the network owner and the domain owner both have at least a very basic understanding of the RFCs and can correctly configure things. There is a statisitcal correlation between machines that send spam and machines that fail FCrDNS checks, but correlation does not imply causation and many network owners simply can not configure the rDNS because their upstream providers either can't or won't delegate the rDNS.

[edit] Uses

  • Most e-mail Mail Transfer Agents (server software) use a FCrDNS verification and if there is a valid domain name, put it into the "Received:" trace header field.
  • Some e-mail Mail Transfer Agents will preform FCrDNS verification on the domain name given on the SMTP HELO and EHLO commands. This can violate RFC 2821 and so e-mail is usually not rejected by default.
  • Some e-mail spam filters will use FCrDNS checks to try to detect forged domain names or for whitelisting purposes.
Retrieved from "http://en.wikipedia.org../../../f/o/r/Forward_Confirmed_reverse_DNS_48e6.html"