Reverse DNS basics [again] [Was: Re: help with Reverse Lookup and PTR's]
Joseph S D Yao
jsdy at center.osis.gov
Mon Oct 29 13:45:22 UTC 2001
Don't NOSPAM this mailing list.
On Sat, Oct 27, 2001 at 09:25:59PM -0500, Phil Schuman wrote:
> my head is spinning on all this DNS stuff :)
> As I see it...
> This reverse DNS lookup is a parallel concept
> to the normal DNS system -
> The DNS "A" record defines - xxx.xyz.com ---> 192.168.1.1
> and they are stored with the nameserver for the "domain"
> and the nameserver is obtained via lookup for the "domain".
> however -
> for a reverse IP lookup - 184.108.40.206 - (our mail server)
> all you have is an IP address to initially work with -
> It seems like ARPA has a special "domain"
> such as "in-addr.arpa" that is the real placeholder,
> and then the IP address (reversed) is prefixed.
> The records in the local DNS server
> define the "PTR" records - or pointer records.
> However, I'm not sure how they propagate back
> to the ARPA domain ???????
> And what happens with address conflicts,
> or stealing of addresses ?????????
> So - as with Register.com and other "registering" providers,
> You may get "A" records to ref your servers,
> but I don't think there are any corresponding PTR records,
> hence no Reverse Lookup is possible....
> For us - with our 220.127.116.11 - mail server name -
> the nameserver at "itsi2.your-net.com" has the various "A" records,
> but doesn't seem to have any PTR records.
> And our 18.104.22.168 backup nameserver
> has the "A" records, and a handful of PTR records...
> but the "itsi2" nameserver may be interrogated 1st by the net,
> so the Reverse Lookup will again fail -
> Phil - now with a big DNS headache :)
Does this help? You seem to have most of it already.
> Subject: Reverse DNS, IP addr -> name via PTR
> Date: Thu, 5 Aug 1999 13:27:38 -0400 (EDT)
> OK, one more time, since there has been a spate of questions about this
> again ...
> If you have a domain and a set of IP addresses, e.g., foo.com and
> 22.214.171.124/24, then you will not only want to do forward DNS lookups from
> host names to IP addresses, but also reverse DNS lookups from the host
> names to the IP addresses. This does NOT happen automatically!
> Instead, you have to construct a separate reverse DNS zone whose name
> is based on the portion of the network that you own. [I'll mention
> what to do if you don't own the whole network portion, later.]
> There is nothing magic about a reverse DNS zone. By convention, it is
> based on the "in-addr.arpa" domain. Its name is constructed on the
> REVERSED IP address of the network - in this case, 3.2.1.in-addr.arpa.
> In all ways, it is a regular domain - its parent domain, e.g., is
> 2.1.in-addr.arpa - we'll get to why that's important in a minute.
> In the named.boot or named.conf, on your master [primary] name server,
> you associate the name of the domain/zone with the name of some file
> that contains the zone information. In this zone file, you will have,
> as always:
> $TTL nnnnnnn
> @ IN SOA ...
> IN NS ns.foo.com.
> and then you must put your pointers from the host numbers back to the
> names, e.g.:
> 1 IN PTR router.foo.com.
> 2 IN PTR firewall.foo.com.
> 3 IN PTR host.foo.com.
> 42 IN PTR answer.foo.com.
> Now, giving your local name server all of this information, it will
> return any reverse-DNS query with the proper information. E.g.,
> queries of the form:
> nslookup 126.96.36.199 ns.foo.com
> nslookup -type=ptr 188.8.131.52.in-addr.arpa ns.foo.com
> dig @ns.foo.com 184.108.40.206.in-addr.arpa ptr
> will return the host name as part of the answer.
> Internally to your network, if you have configured your /etc/resolv.conf
> file to point to ns.foo.com's IP address, then you don't even have to
> tell it to ask ns.foo.com. Queries will automatically go to that name
> EXTERNALLY to your network, it's a different story. If you want
> others to also see your reverse DNS [and you usually do], you need to
> get the co-operation of whoever owns your reverse DNS parent domain,
> 2.1.in-addr.arpa. They must list "3" as a subdomain of their domain,
> with an NS record in their zone file pointing to your name server.
> Then someone asking from the outside about 220.127.116.11.in-addr.arpa will
> be able to go to the root server, find out who owns 1.in-addr.arpa, and
> from them who owns 2.1.in-addr.arpa, and from them who your name server
> is ... and thence get the name. Just exactly as in forward DNS lookups.
> NOW, if your network does not break at an octet boundary, you must look
> at RFC 2317, which has a trick to create a subnetwork that includes
> your network name and bitsize, and then have your hosts' IP addresses
> be names off that network. You can use the trick detailed in RFC 2317
> or one like it. Believe me, it works. But you need the co-operation
> of the owner of your parent network.
> If you only have a few IP addresses, or you have IP addresses from
> different networks, you will probably want to just leave forward and
> reverse DNS entries to the owners of those networks. Again, they have
> to be willing.
> Fair 'nuff?
Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
This message is not an official statement of OSIS Center policies.
More information about the bind-users