Sunday, February 21. 2021
Please do not put IP addresses into DNS MX records
I want to highlight a common misconfiguration in the DNS records for e-mail servers.When a domain is configured to receive mails usually a DNS record of the type MX is configured pointing to the host name of the mail server.
Notably, according to the respective RFC 1035 the MX record must contain a domain name and may not directly point to an IP address. However some mail servers do configure an IP address. Many mail servers are lenient when it comes to this misconfiguration and will deliver mails nevertheless, so this may stay undetected.
I happen to use a mail server that is less forgiving (Courier), and every now and then I cannot send a mail due to this. It’s rare, but it does happen. If your mail server has such a configuration you may not receive some legitimate e-mails.
So I’m hoping to raise some awareness and get some of those servers fixed.
- Obviously if you run a mail and DNS server please don’t do this and correctly set your MX records.
- If you do any kind of IT service or consulting that is related to mail and DNS servers this is a good thing to add to your list of things to check regularly (here's a very simple python script you can use).
- If you run any form of service or tool that checks DNS and mail servers for misconfigurations, please add a check for IP addresses in MX records and warn your users. Unfortunately only few services do this currently (thanks to Hardenize and IntoDNS who will warn users about this), and some popular services don’t.
I did a quick scan of the Alexa Top 1 Million list. Currently around 0,06 % are affected (if you happen to know someone responsible for a host on this list please consider pointing them to this blogpost). I hope by writing this I can reduce that number, I may later try to contact them via their postmaster alias.
(Image source: nohat.cc / CC0)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Dear Hanno,
I like to comment on your posting with the following remarks:
1. [Some] mail servers do configure an IP address.
No, it is the DNS responsible person acting here erroneously.
2. Given (1.) this is only possible for IPv4 addresses since they obey the same syntax as domain names (dotted-decimal).
IPv6 addresses with colons have a different syntax.
3. To publish DNS records usually requires the parsing of the DATA section prior of populating the database for a DNS content server. It is an easy task for the SW to recognise and check IPv4 addresses prior of inserting (and of course to avoid them).
4. You should blame these SW; errors are human. SW should validate the input.
5. Setting up MX records needs to supply
a) the domain name
b) the weight
c) the responsible MX server (given by name)
d) the corresponding A/AAAA addresses.
6. Given a functioning MX server
a) reverse DNS entires (in-addr.arpa, ip6.arpa),
b) SPF records,
c) TLSA records,
d) and other domain verification materials
needs to be published.
Today in the current Internet, it is much more than just setting up a MX.
Regards.
--eh.
I like to comment on your posting with the following remarks:
1. [Some] mail servers do configure an IP address.
No, it is the DNS responsible person acting here erroneously.
2. Given (1.) this is only possible for IPv4 addresses since they obey the same syntax as domain names (dotted-decimal).
IPv6 addresses with colons have a different syntax.
3. To publish DNS records usually requires the parsing of the DATA section prior of populating the database for a DNS content server. It is an easy task for the SW to recognise and check IPv4 addresses prior of inserting (and of course to avoid them).
4. You should blame these SW; errors are human. SW should validate the input.
5. Setting up MX records needs to supply
a) the domain name
b) the weight
c) the responsible MX server (given by name)
d) the corresponding A/AAAA addresses.
6. Given a functioning MX server
a) reverse DNS entires (in-addr.arpa, ip6.arpa),
b) SPF records,
c) TLSA records,
d) and other domain verification materials
needs to be published.
Today in the current Internet, it is much more than just setting up a MX.
Regards.
--eh.
The MX record's name also serve as the key in the SSL certificate when using DKIM DMARC. So, if you use an IP address here, there's no way you'll be able to set up DKIM/DMARC.
This has nothing to do with DKIM/DMARC. Maybe you're referring to mta-sts where the mx actually needs to have a valid certificate for that hostname.