Beantwoord

Reverse DNS incorrectly configured on 86.80.0.0/13 and 2a02:a440::/26

  • 19 June 2019
  • 11 reacties
  • 1294 keer bekeken

Hi,

IP connectivity (KPN) at home provides the following IP addresses.

IPv4: 86.84.126.13
IPv6: 2a02:a450:37ed:1:85bf:d714:75f0:e824

A reverse DNS (PTR) lookup on the IPv4 address gives: ip56547e0d.speed.planet.nl.
A forward DNS lookup on: ip56547e0d.speed.planet.nl is NOT resolved.

A reverse DNS (PTR6) lookup on the IPv6 address gives: custprd-2a02-a450-37ed-0001-85bf-d714-75f0-e824.reverse.kpn.net.
A forward DNS lookup on: custprd-2a02-a450-37ed-0001-85bf-d714-75f0-e824.reverse.kpn.net is NOT resolved.

This gives rise to the following problems :-

1. Certain IP Blacklists (e.g. SpamRat.com) label all IP addresses within these ranges as toxic spammer addresses. Purely due to the reverse DNS configuration.
2. Certain services e.g. Linux SSH flag access from these addresses as potential hack attempts.

  • From a branding standpoint I thought that KPN was moving to a single brand identity, thus I would expect Planet and Hetnet etc. to have disappeared by now.
  • From a reputation management standpoint it is not good to have large ranges of the KPN IP space flagged as toxic IP space.
  • From a customer standpoint it is bad to have an otherwise excellent product tarnished by these small niggles.
  • From a technical standpoint while it is not mandated by the RFCs to have symmetric pairs for reverse DNS (i.e. A/PTR and AAAA/PTR) it is recommended and follows best practice.
I know that this issue has been bouncing back and forth in the forum for several yeas now - but without any resolution!

This is not a nice to have feature - this is a normal expectation from any ISP and it does have a direct impact on customers.

Yours with undying hope
Ian Tree
icon

Beste antwoord door Erwin van KPN 28 June 2019, 19:28

Bekijk origineel

Dit topic is gesloten. Staat je antwoord hier niet bij, gebruik dan de zoekfunctie van de Community of stel je vraag in een nieuw topic.

11 reacties

Hi, @IanTree . I'm afraid this is a bit too technical for me.
Can you please elaborate what kind of practical issues this causes for you? Keeping in mind this is a forum for consumer subscriptions?
@wjb : Any ideas? 🙂
Reputatie 7
The case that reverse DNS is not working for a part of the customers of KPN is quite annoying as several services require reverse DNS like for example running a mailserver.
This has been discussed several times on the forum and the outcome is that KPN will not resolve this issue as it takes to much effort. 😖
Hi @Erwin_,

A sample of problems experienced as a result of the reverse DNS misconfiguration are :-

  1. Users of SMTP/POP/IMAP clients such as Outlook or Thunderbird may not be able to send e-Mails, these can be rejected by the mail server. Usually the error message will refer to a DNSBL failure.
  2. Users may not be able to register with some websites on the internet, the failure will often refer to the user is suspect of being "a spammer or a bot".
  3. Users may be prevented from posting comments on certain forums or other websites again because they are suspected of being a bot or comment spammer.
@wjb,

I know that the problem has been kicked around for forum for a long time, with no result. I put the 4 bullets on branding/reputation/customer satisfaction/technical to emphasise why KPN should take this seriously.
The excuse that it would take too much effort just won't fly. This type of DNS resolution is performed by a small script on the DNS servers and takes very little time and effort to implement.
Hi @IanTree . I am currently mailing with a technical department. I haven't heard from them yet.
To be honest, Im not very hopefull but when I get a reply I will share it with you.
Reputatie 7
And I really hope that KPN will solve this issue as it is really blocking some functionality and that is, as mentioned before, quite annoying.
Hi @Erwin_,

Thanks for taking this up with the "Techs". I keep my fingers crossed.

@wjb, Thanks for the support,

CONGRATULATIONS KPN - WELL DONE!!!!!!! :grinning:

I am not sure when the change happened BUT it has been fully resolved.

Name:    86-84-126-13.fixed.kpn.net
Address:  86.84.126.13
Resolves both forwards and reverse.

Name:    2a02-a450-37ed-1-b4a6-c071-62e9-60d2.fixed6.kpn.net
Address:  2a02:a450:37ed:1:b4a6:c071:62e9:60d2
Also resolves both forwards and reverse.

 

THANKS KPN and a big WELL DONE.

 

Hi KPN,
It appears that the Reverse DNS records for IPV6 do not resolve back to IPs again. Can this be fixed please?
[ Het lijkt erop dat de Reverse DNS records voor IPV6 niet meer resolven naar de oorspronkelijke IP adressen. Kan dit hersteld worden? ]

Thanks!

https://mxtoolbox.com/SuperTool.aspx?action=a%3a2a02-a459-57cd-0-1ee7-c0ff-fee0-1.fixed6.kpn.net&run=toolpage 

 

Reputatie 7

Je moet ook niet een gewone DNS lookup doen maar een AAAA lookup voor IPv6.

 

Je moet ook niet een gewone DNS lookup doen maar een AAAA lookup voor IPv6.

 

*facepalm*  Ik dacht dat ie dat automatisch deed en alle (A/AAAA) records zou teruggeven…
Thanks!