United States site (Change)     HOME | CONTROL PANEL    
Sargasso Networks


Reverse DNS Policy


In order to access many Sargasso services, including FTP and SSH, you will require correctly set up reverse DNS. Usually this is not within your realm of control. Instead you may choose to refer your ISP (dialup or broadband) to this page for further information.

Explanation and Rationale

Sargasso login servers (including FTP and SSH) are configured to perform reverse DNS lookups for each connection, and to refuse the connection if the forward and reverse DNS do not match. The rationale is simple: an imposter may easily configure his reverse DNS to be 'myhost.yahoo.com', but if he is not also in control of the forward DNS for 'yahoo.com', the inverse mapping will not match.

Therefore correctly matching forward and reverse DNS may allow a fair degree of confidence that the reverse DNS hostname is correct. Conversely, mismatching DNS is indicative of subterfuge, or a misconfigured DNS service.


If maps to "www.myhost.com", then "www.myhost.com" must map to

In technical terms, the PTR record must map to a valid hostname that has an A record that maps back to the same address.

 in zone 3.2.1.in-addr.arpa:

 4       IN   PTR   www.myhost.com.

 in zone myhost.com:

 www     IN   A

Sidenote: It is sufficient for ONE of the A records to point to, if www.myhost.com has multiple addresses.


The following exercise will demonstrate the logic behind our server's correct refusal of a connection from

  1. First we look up the hostname from the address (reverse DNS):
    Name:    spc1-epso2-4-0-cust30.asfd.broadband.ntl.com
    So whoever is responsible for this address claims that its hostname is spc1-epso2-4-0-cust30.asfd.broadband.ntl.com.

  2. Second, we look up the address for this hostname (forward DNS):
    C:\>nslookup spc1-epso2-4-0-cust30.asfd.broadband.ntl.com
    *** cache1.ns.sargasso.net can't find spc1-epso2-4-0-cust30.asfd.broadband.ntl.com:
    Non-existent domain

The DNS servers for 'ntl.com' deny that this mapping is correct, or that that hostname even exists. This is why this user is blocked.

A similar situation would have resulted if step 2 had returned an address that was not the same as the original query (


Any competent ISP should have an engineering team capable of fixing misconfigured DNS servers. Typically the three problems we see most are:

  1. Missing reverse DNS: there simply is no PTR record for the IP address in question.
  2. Incorrect or placeholder DNS: the PTR record exists, but the A record it points to does not exist or is bogus (e.g. no-dns-yet.demon.net)
  3. A special case of 2.: Relative zone specified by accident: by missing off the period at the end of the PTR line above, would incorrectly resolve to www.myhost.com.3.2.1.in-addr.arpa.



About Us

© 2002, 2003, 2004, 2005, 2006, 2008 Sargasso Networks. E&OE.
Legal | Contact us
^ Top