[TriLUG] DNS Questions / Help

Jon Carnes jonc at nc.rr.com
Thu Mar 23 21:28:32 EST 2006 

On Thu, 2006-03-23 at 20:38, Lisa C. Boyd wrote:
> I have a client who is asking me to explain some warnings on a DNS 
> Report. Can ya'll give me some easy to understand advice as to what 
> these warning are or how to fix them?
> 
> --- Warning #1 ---
> WARN	TCP Allowed	
> WARNING: One or more of your DNS servers does not accept TCP 
> connections. Although rarely used, TCP connections are occasionally used 
> instead of UDP connections. When firewalls block the TCP DNS 
> connections, it can cause hard-to-diagnose problems. The problem servers 
> are:
> 
> This site is hosted on a shared virtual web host (like most) so I'm 
> pretty sure we can ignore this warning because we have no control over 
> the name servers.

You should talk to the folks who run the Name Servers for the domain.
They should allow TCP on port 53 (as well as UDP). It's probably just an
oversight on their part.

> 
> --- Warning #2 ---
> WARN	Mail server host name in greeting	
> WARNING: One or more of your mailservers is claiming to be a host other 
> than what it really is (the SMTP greeting should be a 3-digit code, 
> followed by a space or a dash, then the host name). This probably won't 
> cause any harm, but is a technical violation of RFC821 4.3 (and RFC2821 
> 4.3.1). Note that the hostname given in the SMTP greeting should have an 
> A record pointing back to the same server.
> 
> I'm not sure we can do anything about this one either.
> 

Look at the output from this. The server should give a valid domain name
in the Helo sequence. That valid domain name should resolve to the IP
address of the server. If that happens, you are golden here.

I've had a few clients that had problems with this. Some sites will
reject you email if you don't follow the specs.

> --- Warning #3 ---
> WARN	SPF record	
> Your domain does not have an SPF record. This means that spammers can 
> easily send out E-mail that looks like it came from your domain, which 
> can make your domain look bad (if the recipient thinks you really sent 
> it), and can cost you money (when people complain to you, rather than 
> the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was 
> the target date for domains to have SPF records in place (Hotmail, for 
> example, started checking SPF records on 01 Oct 2004).
> 
> This one I have no clue.

This is an interesting idea. I really don't think it's going to catch on
(or course I thought the idea of a "pet rock" was also pretty dumb).

Unfortunately most folks roam around a bit *and* use authenticated SMTP
(now THAT would be a better standard to push), so their email can have
just about any IP address on the net and still be valid for your domain.

Of course if all your users hang out in the office... and the office has
a static IP range... and all your mail sent from your domain is only
sent from the office... then Heck this will work.

Jon

More information about the TriLUG mailing list