Newbie: How to do Reverse-DNS (with an 8-IP ISP-supplied subnet)?
kcd at daimlerchrysler.com
Wed Mar 29 00:10:15 UTC 2000
> Hi all,
> I've recently gotten DNS running on my network here. I'm basically a bind
> and Unix (FreeBSD) newbie, but everything seems to be running reasonably
> well. The one thing I've left out is Reverse DNS.
> Reverse DNS (I'm not sure if that's the official name - should I call it
> 'reverse lookup'?) at first baffled me a little, but it now seems very
> obvious. In general, any time you have a distributed database that's set up
> to do name-value lookups, you can't really do a value-name lookups. You'd
> need a second database to map values to names. (That's a sloppy use of
> 'name' and 'value' but hopfeully I'm being clear enough). So no problem -
> the InterNIC maintains a sperate database that maps IP addresses to domain
> Here's my problem - I have an ADSL account, with which I get 5 IP addreses.
> Basically, I have a subnet of 8 IP addresses, with (I think) 3 being
> reserved for the network, broadcast, and gateway IPs, leaving my 5. So how
> do I set up reverse DNS for these IPs? Since the IPs belong to my ISP, my
> ISP would currently be doing reverse DNS for the entire Class C that my
> little subnet belongs to. That sounds to me like I have to somehow contact
> my ISP, and say "could you please add these PTR records to your zone file?"
> Is that really my only option? Also, while I have a decent understanding of
> classless subnetting and its advantages, it seems that reverse-DNS is
> completely, umm, non-classless, which seems pretty sub-optimal. Am I wrong
> about this?
True, the in-addr.arpa tree is address-octet-oriented, but with the magic of
aliases you can "delegate" (I use the term loosely) an address space smaller
than a class C to allow for local management. See RFC 2317 for details.
Regardless of how you do it, though, you need the co-operation of your ISP,
either to process your PTR change requests in their zone, or to add the
necessary aliases, and, optionally, delegate a reverse zone to you, so that
you can manage the PTRs yourself. (I say "optionally" because, despite RFC
2317's recommendations, there's nothing to stop you hanging a reverse zone off
one of your "forward" namespaces, in which case no delegation from your
ISP would be necessary).
> Finally - it's possible that my ISP will refuse to cooperate with my
> reverse DNS needs. If they do, what are the ramifications? Is there a "What
> happens if I can't do reverse-DNS" paper somewhere that will list the
> problems I might face? (I couldn't find anything in the FAQ or by searching
> the mailing list archives.)
Off the top of my head, I know that some mail servers and some FTP servers, as
configured, will not accept connections/transfers unless they can do a reverse
lookup of the connecting client. But, as pointed out to me recently, many if
not most ISP's give "dummy" PTR names to all of the addresses in their
assigned ranges anyway, so you're likely to have a PTR record regardless, it
just may not happen to bear any resemblance to your forward zone data. As for
software or sites which attempt to *authenticate* access by reverse lookup,
I think that's generally regarded as a failed security methodology anyway, so
it should become less of a factor as time goes by.
More information about the bind-users