1. Forum
  2. Usenet
  3. NEWS.SOFTWARE.NNTP

  • reverse lookup validation failed - how do I fix this?

    From Nigel Reed@21:1/5 to All on Mon Mar 31 02:11:44 2025
    Hi all,

    I see a of these in my log files:


    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse lookup for 2001:41d0:a:280::1 failed: reverse lookup validation failed -- using IP
    address for access

    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse
    lookup for 2602:fe64:8::7 failed: reverse lookup validation failed --
    using IP address for access


    Odd thing is, both have RDNS entries. the first is for news.nntp4.net
    and the 2nd is for my own server, newsfeed.endofthelinebbs.com


    Interestingly, news.nntp4.net does not resolve back to that IP, it uses 2001:41d0:700:1273::

    Mine definitely does, however.

    open to suggestions.

    Thanks.

    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Nigel Reed on Mon Mar 31 04:58:28 2025
    Nigel Reed wrote:

    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse lookup for 2001:41d0:a:280::1 failed: reverse lookup validation failed -- using IP address for access

    Interestingly, news.nntp4.net does not resolve back to that IP, it uses 2001:41d0:700:1273::

    That's probably why the "reverse lookup validation failed"
    otherwise someone could map their IP to any name they like
    to get around hostname based access control.

    MTAs have done that kind of check "for ages".

    BTW: does the DNS resolver used by nnrpd give the expected
    result for your own IP?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nigel Reed@21:1/5 to All on Mon Mar 31 05:21:56 2025
    On Mon, 31 Mar 2025 04:58:28 -0400 (EDT)
    Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
    wrote:

    Nigel Reed wrote:

    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse lookup for 2001:41d0:a:280::1 failed: reverse lookup validation failed --
    using IP address for access

    Interestingly, news.nntp4.net does not resolve back to that IP, it
    uses 2001:41d0:700:1273::

    That's probably why the "reverse lookup validation failed"
    otherwise someone could map their IP to any name they like
    to get around hostname based access control.

    MTAs have done that kind of check "for ages".

    BTW: does the DNS resolver used by nnrpd give the expected
    result for your own IP?

    I'm pretty sure I said in the original message that my IP resolves
    correctly. You seem to have ignored that paragraph.


    news@newsfeed:~$ host 2602:fe64:8::7 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.0.4.6.e.f.2.0.6.2.ip6.arpa
    domain name pointer newsfeed.endofthelinebbs.com.

    news@newsfeed:~$ host newsfeed.endofthelinebbs.com
    newsfeed.endofthelinebbs.com has address 144.172.126.95 newsfeed.endofthelinebbs.com has IPv6 address 2602:fe64:8::7

    news@newsfeed:~$ host 144.172.126.95
    95.126.172.144.in-addr.arpa domain name pointer
    newsfeed.endofthelinebbs.com.


    All my IPs resolve correctly.




    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Mar 31 19:32:58 2025
    On 31.03.2025 02:11 Uhr Nigel Reed wrote:

    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse lookup for 2001:41d0:a:280::1 failed: reverse lookup validation failed -- using
    IP address for access

    m@ryz:~$ host 2001:41d0:a:280::1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.2.0.a.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa
    domain name pointer news.nntp4.net. m@ryz:~$ host news.nntp4.net
    news.nntp4.net has address 54.36.109.115
    news.nntp4.net has IPv6 address 2001:41d0:700:1273::
    m@ryz:~$

    Faulty, contact Timo:
    https://news.nntp4.net/contact.php


    Mar 31 02:01:39 newsfeed nnrpd[3339866]: ? reverse
    lookup for 2602:fe64:8::7 failed: reverse lookup validation failed --
    using IP address for access

    Looks good for me, test your DNS.


    --
    kind regards
    Marco

    Send spam to [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Nigel Reed on Wed Apr 2 01:57:39 2025
    Nigel Reed wrote:

    I'm pretty sure I said in the original message that my IP resolves
    correctly. You seem to have ignored that paragraph.

    No, I have not. I asked about the
    "the DNS resolver used by nnrpd"
    not about you using commmand line tools.

    All my IPs resolve correctly.

    nnrpd claims there is a mismatch between PTR and AAAA -
    so what's different in nnrpd vs CLI?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Wed Apr 2 19:31:44 2025
    On 02.04.2025 01:57 Uhr Claus Aßmann wrote:

    nnrpd claims there is a mismatch between PTR and AAAA -
    so what's different in nnrpd vs CLI?

    I assume it uses the libc functions.
    A view to /etc/nsswitch.conf might be interesting here.

    --
    kind regards
    Marco

    Send spam to [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Julien_=C3=89LIE?=@21:1/5 to All on Wed Apr 2 19:39:29 2025
    Hi Marco,

    nnrpd claims there is a mismatch between PTR and AAAA -
    so what's different in nnrpd vs CLI?

    I assume it uses the libc functions.
    A view to /etc/nsswitch.conf might be interesting here.

    Indeed, nnrpd just uses the getnameinfo and getaddrinfo libc functions.
    Their manual pages mention the following related files:

    /etc/hosts
    /etc/nsswitch.conf
    /etc/resolv.conf
    /etc/gai.conf

    --
    Julien ÉLIE

    « Rien n'est plus agaçant que de ne pas se rappeler ce dont on ne
    parvient pas à se souvenir et rien n'est plus énervant que de se
    souvenir de ce qu'on voudrait parvenir à oublier. » (Pierre Dac)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)