Cloudflare rDNS for Email Ports on Linodes?
Has anyone successfully used Cloudflare to configure rNDS as requested by Linode to open up email ports?
We're currently on the Cloudflare Pro plan, and all the normal DNS is working as expected (e.g. we're hosting public websites on a Linode going through Cloudflare proxy). Looking at the Cloudflare docs, they say we need the Enterprise plan in order to enable rDNS zones. Trying to see if anyone here can confirm that or has another suggestion to avoid a 10-fold increase in Cloudflare plan just to get email working on our Linodes?
7 Replies
The reverse DNS records for Linode IPs are hosted on Linode's DNS servers. You can set them in the "Edit rDNS" section of the manager.
https://www.linode.com/docs/guides/configure-your-linode-for-reverse-dns/
You do need to set forward A and/or AAAA DNS records for the name(s) in your domain's DNS records. But those are just normal DNS records, you don't need to pay Cloudflare extra for that.
Our concern was that the Edit rDNS won't allow you put in a DNS name that isn't listed in Linode's DNS records, and didn't want to cause any issues with conflicting DNS Records out in the open by putting the public DNS for that server in both Linode and Cloudflare's records.
Talking out loud/typing all this out, having the A record in Linode's DNS Records should be pretty much a ghost/non-used record since the domain name is pointing to Cloudflare for nameservers. Maybe it just needs the entry there to allow editing rDNS, even if it's not ever actually used for true DNS lookups.
Have added the A record back in to Linode DNS Manager, will let it update, and try to re-add the rDNS entry under IP Addresses.
You need to add A record wherever you host your DNS. If you don't use Linode's DNS manager, you don't need to add it there.
We have the A record on Cloudflare, and it works - the browser is correctly resolving to the Linode which is hosting the website (and website displays correctly). At this point, the A record has been on Cloudflare and website working correctly for almost a week (so should be well past any TTL issues)
That said, "Edit rDNS" for the Linode's IP says
"
No match was found for '<fqdn>'. Reverse DNS must have a matching forward entry.
"</fqdn>
That was why the question if we needed to add an A record to Linode's DNS manager even though that record isn't really used - just to fake out the Edit rDNS screen
Doing something like nslookup on the DNS name will resolve to Cloudflare's IPs (since they doing the proxying). Even though the A record exists, maybe the Edit rDNS is erroring out because it tries to do a lookup on the name provided and the returned IP isn't the Linode IP (but rather the Cloudflare IPs)?
With that in mind, I guess we could turn off the proxying to see if it goes through. If that works, maybe leave off the proxy just long enough to get email ports enabled, then turn the proxy back on.
Edit: Turning off the proxy on Cloudflare for that IP did correctly allow the Edit rDNS screen to save with the DNS name. Will continue through the email ports request process and see if we can then re-enable the proxy after the ports are open.
You need to add A record wherever you host your DNS. If you don't use Linode's DNS manager, you don't need to add it there.
Correct - my DNS is hosted externally to Linode and I can set rDNS records on my Linode IPs just fine.
rDNS zones on the CF enterprise plan are when you have your own assigned IP space and want to host the rDNS records for those IPs on CF.
Will continue through the email ports request process and see if we can then re-enable the proxy after the ports are open.
I don't think Linode will notice, but if you actually try to send email and your rDNS doesn't match, the destination mail servers will likely reject it.
@mnordhoff0
I don't think we should have that problem because our sites are sending though our Office 365 tenet - we just need 587 open to be able to connect & authenticate through O365, not sending directly from the Linode. With the mail being sent from O365, the receiving side should be able to verify the sending side OK.