> On 17.06.2025 at 14:26 sebastian via mailop wrote: > > >>RFC 5782 states: > > Thats for DNSBL/DNSWL, where its easy to tell the firewall that, don't touch > any response packets from dnswl.org and then it don't matter.
My take on this: A firewall should not touch *any* DNS packets. Reasons on why not to do that can be seen in this thread. Middleboxes which do not understand what‘s going on and prefer to break traffic flows to be on the safe side are not a good argument to restrict or change the way how protocols and technologies are being used. I wouldn’t say that Goteborgs SPF record returns private IP addresses. It does actually not return any IP address at all, but only a syntactically valid representation for „match“ or „true“. >>> RFC 7208 states: > > Yes that applies to the SPF client. A firewall between the SPF client and > server cant know the packet is meant for a RFC 7208 client. > >>> Presumably, a mail server should not consult a DNS hacked for browsers? > > Presumably, a firewall located between LAN and WAN has no way to know if the > UDP packet is for a SPF client or browser. It sees a DNS response packet > coming from a server on the WAN side that is not in the firewall's list of > servers permitted to bypass DNS Rebinding orotection, finds a private IP in > the response, and throws the UDP packet in the dustbin. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
