I’m on at least 2 blocklists at this point for the crime of not having reverse DNS set up. I don’t know how rDNS works. No amount of reading Wikipedia is helping me understand what I have to do.

  • I have a domain at a registrar which gives me bog standard DNS.
  • I have Apache running on my network.
  • I have PiHole running on my network.

My understanding is that rDNS is not set up at my registrar, but somewhere in my network. What do I do?

Thank you for your time.

    • drkt@feddit.dkOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I would love to tell you why they do this, but I can’t. I can only tell you that they tell me it’s because I don’t have rDNS

      These guys are blocking me http://www.uceprotect.net/en/rblcheck.php “Level 1 HIGH DNS problem WARNING: No Reverse-DNS (PTR) is assigned to your IP”

      These guys are blocking a friend of mine who has the same setup as me https://matrix.spfbl.net " No rDNS was found. This IP has been flagged because have none valid FCrDNS. Register a valid rDNS for this IP, which points to the same IP. The rDNS must be registered under your own domain for you be able to delist it."

      • Shadow@lemmy.ca
        link
        fedilink
        English
        arrow-up
        8
        ·
        1 year ago

        Are you sending email from your ip?

        If not this is irrelevant. Those block lists are only for email related spam filtering.

        If you are, don’t send email from a home isp

        • drkt@feddit.dkOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          No emails just routing issues.

          Copy pasted but I have routing issues that neither my ISP nor the people who suffer from it can pinpoint. I’m so far down this rabbit hole that I’m assuming my IP got on a blacklist that’s sitting on some random networking infrastructure and I’m just trying to resolve all blacklist issues on the off chance that it works.

              • Shadow@lemmy.ca
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Replied in another part of this thread, but basically those blacklists are specific to SMTP and you can just disregard them. They’re not related to any sort of network/routing issue you’re seeing.

      • redcalcium@lemmy.institute
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Ugh, uceprotect is the worst of the worst with overly strict rules to encourage paying them to whitelist your IP. Just ignore them.

        • drkt@feddit.dkOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          I want to, but I have routing issues that neither my ISP nor the people who suffer from it can pinpoint. I’m so far down this rabbit hole that I’m assuming my IP got on a blacklist that’s sitting on some random networking infrastructure and I’m just trying to resolve all blacklist issues on the off chance that it works.

          • chiisana@lemmy.chiisana.net
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            DNSBL as result of lack of rDNS isn’t going to affect routing. Can you perhaps describe exactly what you’re having, and maybe we can figure out the solution together?

            • drkt@feddit.dkOP
              link
              fedilink
              English
              arrow-up
              0
              ·
              1 year ago

              I would pay you money if you can fix this issue.

              A number of people can’t route to me at all. My domain is drkt.eu and sits on port 80 and 443 @ 89.150.135.135 and 2a05:f6c7:8039::1337

              IPv6 is not big in my country, and I don’t think anyone afflicted has IPv6 so I can’t tell you if this affects both v4 and v6.

              It’s not a DNS issue, as the afflicted users can get the correct IPs from nslookup.

              Mullvad VPN users are consistently unable to route to me.

              One friend can’t route to me from his workplace network. It’s a small network and their admin claims they don’t block anything so it’s a mystery to him as well.

              Another friend across town can’t reach my network despite being so close to me hop-wise, but his network is run by wacks and is consequently also quite wack. I can’t confidently say this is the same issue.

              I’m not dropping any connections for any reason. My ISP claims they aren’t doing any blocking of domains or IPs.

              Traceroutes time out at consistent hops but it’s different per afflicted network. The only recurring name has been costumer.tdc.net

              It might not be related, but I can’t route to catbox.moe and their admin says my IPs are not blacklisted in any of their systems.

              What’s your input?

              • chiisana@lemmy.chiisana.net
                link
                fedilink
                English
                arrow-up
                0
                ·
                1 year ago

                It’s not a DNS issue, as the afflicted users can get the correct IPs from nslookup.

                You are correct; looking at the resolutions via Google’s toolbox, it seems to be resolving fine.

                Traceroutes time out at consistent hops but it’s different per afflicted network. The only recurring name has been costumer.tdc.net

                I did a couple of traceroute tests from a couple locations (two data centres, my local WiFi, and via cellular data), and they all seem to end at cpe.ae20-0.khk7nqp8.dk.customer.tdc.net. In teleco terms, cpe usually means “Client/Customer Premise Equipment”, so it wouldn’t surprise me if that is the address assigned to the network equipment closest to your server’s local network (think neighborhood hub, or PON on premise, something super close to the demarcation point). If everyone else is able to get that far, then I’m more inclined to think the drop is happening on your equipment, not your ISP’s equipment; but having said that, if this is a residential network (regardless if ISP is provisioning you gigabit connectivity via fibre or whatever), there will always be a likelihood for ISP to be doing more filtering.

                If you don’t mind, what is the gateway you’re using? Is there an ISP gateway and then your own, or straight from ISP equipment into your network? Are there any (single/double) NAT going on? Are there’s any security/filtering options on (either) equipment(s)?

                • drkt@feddit.dkOP
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  edit-2
                  1 year ago

                  I have an ISP issued fiber modem that goes straight into my pfsense box. For IPv4 I have NAT and Firewall, for v6 it’s just the firewall. It should be noted that I’ve been hosting with this setup for years and it wasn’t a problem until I got this ISP at this location. I’ve had this ISP elsewhere without problems and another ISP here where it also wasn’t a problem.

                  The traceroutes getting dropped was a misconfiguration in my firewall on my part, it should work now!

                  My friend across town can now ping me successfully but going to my website still gives him ERR_CONNECTION_TIMED_OUT in browser.

                  EDIT ----------

                  I got another troublesome user to run a quick test with the new firewall config. Also can’t reach my website. Pings DO time out for him! Traceroute expectedly also fails, last hop was cpe.ae20-0.khk7nqp8.dk.costumer.tdc.net [87.61.121.169]

                  • chiisana@lemmy.chiisana.net
                    link
                    fedilink
                    English
                    arrow-up
                    0
                    ·
                    edit-2
                    1 year ago

                    From my side, I now see 3 ???s between the CPE and your IP address, which is also responding, so that’s great.

                    Can your friend do something like curl -vvv https://drkt.eu or whatever to see if the time out happens before/after SSL handshake etc.? Also, do they have any firewalls / security appliances configured to filter content? I’d be curious to see dig or nslookup result, ping or traceroute result, and curl -vvv result, just to understand where it is breaking down.

                    Also, do you have a login to your ISP’s equipment? Are you able to set it to bridge mode to bypass it altogether? Just throwing ideas out there, to see if there is anything else on the go. That cpe device is also pretty curious for sure.

                    Edit: Also, if they can get a response from ping, then it is probably not routing, but something else on the connection to the service / port itself. That’s what I’m hoping we can figure out from the various outputs.