Reverse DNS primer [Was: Re: CNAME TRICK]

Joseph S D Yao jsdy at cospo.osis.gov
Mon Jul 10 17:46:48 UTC 2000


On Mon, Jul 10, 2000 at 08:37:11AM -0700, Rick Gocher wrote:
> 	I seem to be having some problems figuring out this cname trick thing..

Skip it if you've read it and understood it well enough to correct me
on some simplifying assumptions ... ;-)

> Subject: Reverse DNS, IP addr -> name via PTR
> Date: Thu, 5 Aug 1999 13:27:38 -0400 (EDT)
> 
> OK, one more time, since there has been a spate of questions about this
> again ...
> 
> If you have a domain and a set of IP addresses, e.g., foo.com and
> 1.2.3.0/24, then you will not only want to do forward DNS lookups from
> host names to IP addresses, but also reverse DNS lookups from the host
> names to the IP addresses.  This does NOT happen automatically!
> Instead, you have to construct a separate reverse DNS zone whose name
> is based on the portion of the network that you own.  [I'll mention
> what to do if you don't own the whole network portion, later.]
> 
> There is nothing magic about a reverse DNS zone.  By convention, it is
> based on the "in-addr.arpa" domain.  Its name is constructed on the
> REVERSED IP address of the network - in this case, 3.2.1.in-addr.arpa.
> In all ways, it is a regular domain - its parent domain, e.g., is
> 2.1.in-addr.arpa - we'll get to why that's important in a minute.
> 
> In the named.boot or named.conf, on your master [primary] name server,
> you associate the name of the domain/zone with the name of some file
> that contains the zone information.  In this zone file, you will have,
> as always:
> 
> 	$TTL	nnnnnnn
> 	@	IN  SOA	...
> 		IN  NS	ns.foo.com.
> 
> and then you must put your pointers from the host numbers back to the
> names, e.g.:
> 
> 	1	IN  PTR		router.foo.com.
> 	2	IN  PTR		firewall.foo.com.
> 	3	IN  PTR		host.foo.com.
> 	...
> 	42	IN  PTR		answer.foo.com.
> 	...
> 
> Now, giving your local name server all of this information, it will
> return any reverse-DNS query with the proper information.  E.g.,
> queries of the form:
> 
> 	nslookup  1.2.3.42    ns.foo.com
> 	nslookup  -type=ptr  42.3.2.1.in-addr.arpa   ns.foo.com
> 	dig   @ns.foo.com   42.3.2.1.in-addr.arpa  ptr
> 
> will return the host name as part of the answer.
> 
> Internally to your network, if you have configured your /etc/resolv.conf
> file to point to ns.foo.com's IP address, then you don't even have to
> tell it to ask ns.foo.com.  Queries will automatically go to that name
> server.
> 
> EXTERNALLY to your network, it's a different story.  If you want
> others to also see your reverse DNS [and you usually do], you need to
> get the co-operation of whoever owns your reverse DNS parent domain,
> 2.1.in-addr.arpa.  They must list "3" as a subdomain of their domain,
> with an NS record in their zone file pointing to your name server.
> Then someone asking from the outside about 42.3.2.1.in-addr.arpa will
> be able to go to the root server, find out who owns 1.in-addr.arpa, and
> from them who owns 2.1.in-addr.arpa, and from them who your name server
> is ... and thence get the name.  Just exactly as in forward DNS lookups.
> 
> NOW, if your network does not break at an octet boundary, you must look
> at RFC 2317, which has a trick to create a subnetwork that includes
> your network name and bitsize, and then have your hosts' IP addresses
> be names off that network.  You can use the trick detailed in RFC 2317
> or one like it.  Believe me, it works.  But you need the co-operation
> of the owner of your parent network.
> 
> If you only have a few IP addresses, or you have IP addresses from
> different networks, you will probably want to just leave forward and
> reverse DNS entries to the owners of those networks.  Again, they have
> to be willing.
> 
> Fair 'nuff?

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.



More information about the bind-users mailing list