Google is your friend... On Mon, Feb 23, 2009 at 11:45, Jason Gurtz <jasongu...@npumail.com> wrote: > Very nice! > >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Monday, February 23, 2009 13:52 >> To: MS-Exchange Admin Issues >> Subject: Re: HOWTO: do reverse lookups (PTR records) with the nslookup >> tool >> >> A Win32 version of digL http://members.shaw.ca/nicholas.fong/dig/ >> >> On Mon, Feb 23, 2009 at 09:23, Jason Gurtz <jasongu...@npumail.com> >> wrote: >> > Note: the dig tool is easier and better than nslookup, but >> unfortunately >> > doesn't come with windows. You can download the Windows port of the >> BIND >> > name server and find dig there, but that's extra steps to find out > just >> > what dlls you also need, etc... If you're going to do this a lot I do >> > recommend that you take the time to learn dig instead of nslookup. >> > >> >> In the reverse DNS section of this tool, do I need to check the box? >> I >> >> don't host my external DNS records, so I don't know what PTR records, >> if >> >> any, are out there. >> > >> > Open cmd prompt. Type nslookup and press enter. At the new "> " prompt >> > type set type=ptr and press enter >> > >> > wacky thing #1: IP addy that you query is backwards from what it is >> > wacky thing #2: you are querying for the backwards address in this >> weird >> > domain called in-addr.arpa. You can think of .in-addr.arpa as being > to >> > IP addresses the same as .com. or .org. are to domain names. It is > the >> > story of the whale; it's just how it is. >> > >> > So, for example let's look up some aol.com PTR records...3 MX records > I >> > see are: >> > >> > mailin-01.mx.aol.com internet address = 205.188.156.248 >> > mailin-02.mx.aol.com internet address = 205.188.249.91 >> > mailin-03.mx.aol.com internet address = 205.188.252.17 >> > >> > Hey, let's see if their ducks are in a row! To query the PTR record > for >> > the first one just type this: >> > >> >> 248.156.188.205.in-addr.arpa >> > >> > After pressing enter you should see something like this : >> > >> > Non-authoritative answer: >> > 248.156.188.205.in-addr.arpa name = dd.mx.aol.com >> > >> > What!? dd.mx.aol.com != mailin-01.mx.aol.com. Well that's OK, aol is >> > probably not sending any mail out from this box here ;) Likely, that >> > "box" is a load balancer of some type... OK, trawling through some >> logs >> > here I do see them sending mail from host imo-d05.mx.aol.com which has >> an >> > address of 205.188.157.37. Let's check it out! >> > >> >> set type=a >> >> imo-d05.mx.aol.com >> > Server: dns-01.ns.aol.com >> > Address: 64.12.51.132 >> > >> > Name: imo-d05.mx.aol.com >> > Address: 205.188.157.37 >> > >> > [Yup, still sitting on the same addy] >> > >> >> set type=ptr >> >> 37.157.188.205.in-addr.arpa >> > Server: dns-01.ns.aol.com >> > Address: 64.12.51.132 >> > >> > 37.157.188.205.in-addr.arpa name = imo-d05.mx.aol.com >> > >> > [This time we have a match! AOL admins know what they're doing.] >> > >> > 157.188.205.in-addr.arpa nameserver = dns-02.ns.aol.com >> > 157.188.205.in-addr.arpa nameserver = dns-01.ns.aol.com >> > dns-01.ns.aol.com internet address = 64.12.51.132 >> > dns-02.ns.aol.com internet address = 205.188.157.232 >> > >> > So yeppers, all aol.com ducks in a row for that outbound server. As >> you >> > can see nslookup also tells you what name servers have authority for >> the >> > address space containing 205.188.157.37. Using a whois tool you can >> > lookup who has registered ownership of the IP block. Now we're > getting >> > off on a spam fighting tangent.... >> > >> > if you want to script nslookup to do auditing you can use the tool > like >> > this to query one address at a time. Now you can loop over a whole >> block >> > of IPs that you might own in a batch file or powershell or whatever: >> > >> > C:\>nslookup -type=ptr 37.157.188.205.in-addr.arpa dns-01.ns.aol.com >> > >> > The last argument (dns server to query) is optional. By default, >> nslookup >> > should be querying the first dns server listed in your ipconfig /all >> > output. If you're at the nslookup prompt the command "server >> > <serverName|IP> will do the same thing. Check the ? command to see >> other >> > commands. Note: -type=a would be redundant since it's the default >> query >> > type assumed and obviously -type=mx could be useful in the email world >> as >> > well. >> > >> > ~JasonG >> > >> > -- >> > >> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> > ~ http://www.sunbeltsoftware.com/Ninja ~ >> > >> >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ >> ~ http://www.sunbeltsoftware.com/Ninja ~ > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~
~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
