Sam Spade is still good....
-----Original Message----- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Monday, February 23, 2009 1:23 PM To: MS-Exchange Admin Issues Subject: HOWTO: do reverse lookups (PTR records) with the nslookup tool Note: the dig tool is easier and better than nslookup, but unfortunately doesn't come with windows. You can download the Windows port of the BIND name server and find dig there, but that's extra steps to find out just what dlls you also need, etc... If you're going to do this a lot I do recommend that you take the time to learn dig instead of nslookup. > In the reverse DNS section of this tool, do I need to check the box? I > don't host my external DNS records, so I don't know what PTR records, if > any, are out there. Open cmd prompt. Type nslookup and press enter. At the new "> " prompt type set type=ptr and press enter wacky thing #1: IP addy that you query is backwards from what it is wacky thing #2: you are querying for the backwards address in this weird domain called in-addr.arpa. You can think of .in-addr.arpa as being to IP addresses the same as .com. or .org. are to domain names. It is the story of the whale; it's just how it is. So, for example let's look up some aol.com PTR records...3 MX records I see are: mailin-01.mx.aol.com internet address = 205.188.156.248 mailin-02.mx.aol.com internet address = 205.188.249.91 mailin-03.mx.aol.com internet address = 205.188.252.17 Hey, let's see if their ducks are in a row! To query the PTR record for the first one just type this: > 248.156.188.205.in-addr.arpa After pressing enter you should see something like this : Non-authoritative answer: 248.156.188.205.in-addr.arpa name = dd.mx.aol.com What!? dd.mx.aol.com != mailin-01.mx.aol.com. Well that's OK, aol is probably not sending any mail out from this box here ;) Likely, that "box" is a load balancer of some type... OK, trawling through some logs here I do see them sending mail from host imo-d05.mx.aol.com which has an address of 205.188.157.37. Let's check it out! > set type=a > imo-d05.mx.aol.com Server: dns-01.ns.aol.com Address: 64.12.51.132 Name: imo-d05.mx.aol.com Address: 205.188.157.37 [Yup, still sitting on the same addy] > set type=ptr > 37.157.188.205.in-addr.arpa Server: dns-01.ns.aol.com Address: 64.12.51.132 37.157.188.205.in-addr.arpa name = imo-d05.mx.aol.com [This time we have a match! AOL admins know what they're doing.] 157.188.205.in-addr.arpa nameserver = dns-02.ns.aol.com 157.188.205.in-addr.arpa nameserver = dns-01.ns.aol.com dns-01.ns.aol.com internet address = 64.12.51.132 dns-02.ns.aol.com internet address = 205.188.157.232 So yeppers, all aol.com ducks in a row for that outbound server. As you can see nslookup also tells you what name servers have authority for the address space containing 205.188.157.37. Using a whois tool you can lookup who has registered ownership of the IP block. Now we're getting off on a spam fighting tangent.... if you want to script nslookup to do auditing you can use the tool like this to query one address at a time. Now you can loop over a whole block of IPs that you might own in a batch file or powershell or whatever: C:\>nslookup -type=ptr 37.157.188.205.in-addr.arpa dns-01.ns.aol.com The last argument (dns server to query) is optional. By default, nslookup should be querying the first dns server listed in your ipconfig /all output. If you're at the nslookup prompt the command "server <serverName|IP> will do the same thing. Check the ? command to see other commands. Note: -type=a would be redundant since it's the default query type assumed and obviously -type=mx could be useful in the email world as well. ~JasonG -- ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
