Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4389
Views
0
Helpful
4
Replies

Reverse DNS Hostname Blocking

phogs
Level 1
Level 1

‎01-11-2018 09:36 PM - edited ‎03-08-2019 07:31 PM

Hi,

Good day!  Is there a way to block certain Reverse DNS Hostname on the ironport?

 

Thank you.

Labels:
0 Helpful
4 Replies 4

Libin Varghese
Cisco Employee
Cisco Employee

‎01-12-2018 01:38 AM

The HAT sendergroup Blacklist has a default action set to block connections and you can add sending server IP, reverse DNS host name for that server complete or partial to that sendergroup. 

 

This is located in the GUI under Mail Policies - > HAT Overview. 

 

Regards 

Libin Varghese 

0 Helpful

phogs
Level 1
Level 1
In response to Libin Varghese

‎01-16-2018 06:08 PM

Hi Libin,

Thank you for that response. It seems to be not enough to define the HAT
Overview to set blocking the domain. Some unverified domains still enter to
our email inbox. Is there any advance setting to do with that?
​​
​Thank you.​

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to phogs

‎01-16-2018 07:47 PM

You can also enable envelope sender verification under HAT Mail Flow Policies.

 

With envelope sender verification, the domain portion of the envelope sender is DNS verified. (Does the envelope sender domain resolve? Is there an A or MX record in DNS for the envelope sender domain?)

 

In more detail: AsyncOS performs an MX record query for the domain of the sender address. AsyncOS then performs an A record lookup based on the result of the MX record lookup. If the DNS server returns “NXDOMAIN” (there is no record for this domain), AsyncOS treats that domain as non-existent. This falls into the category of “Envelope Senders whose domain does not exist.” NXDOMAIN can mean that the root name servers are not providing any authoritative name servers for this domain.

 

However, if the DNS server returns “SERVFAIL,” it is categorized as “Envelope Senders whose domain does not resolve.” SERVFAIL means that the domain does exist but DNS is having transient problems looking up the record.

 

Regards,

Libin Varghese

0 Helpful

exMSW4319
Level 3
Level 3
In response to phogs

‎01-17-2018 03:27 AM

Each Sender Group in the HAT has three checkboxes:

  • Connecting host PTR does not exist in DNS
  • Connecting host PTR lookup temporary DNS failure
  • Connecting host rDNS does not match A record

As far as I'm aware, a mail descending through the HAT groups will be diverted into the ticked group if the condition matches. If you are doing anything clever in later filters or rules, you can even create a specific sender group or groups just for DNS issues so that later filters can see that the group applied and can take action.

You can also go after upstream hosts that appear in the message headers by employing a dictionary with suitable entries for a message filter or content rule. It's less efficient, but accommodates hosts who are only 90% trouble.

0 Helpful
Customers Also Viewed These Support Documents