Reverse lookup from Internet only worked when using dig +trace option
Hoshi Sepai
h.sepai at mdx.ac.uk
Tue Sep 16 13:32:43 UTC 2003
Hello
A couple of months ago we migrated our DNS servers to a new IP address and
new version of Bind (9.2.2). Unfortunately we had forgotten to notify Arin
about changing their reverse delegation records for our class B address
range. Arin's old records referred to:
94.158.in-addr.arpa. 86400 IN NS SEVA.MDX.AC.UK.
94.158.in-addr.arpa. 86400 IN NS WIZZARD.MDX.AC.UK.
After requesting Arin to update its reverse delegation records and chasing
them up for three weeks they finally made the change yesterday.
$ dig -x 158.94.254.12 @chia.arin.net
; <<>> DiG 9.2.2 <<>> -x 158.94.254.12 @chia.arin.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17670
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;12.254.94.158.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
94.158.in-addr.arpa. 86400 IN NS NS1.MDX.AC.UK.
94.158.in-addr.arpa. 86400 IN NS NS2.MDX.AC.UK.
;; Query time: 81 msec
;; SERVER: 192.5.6.32#53(chia.arin.net)
;; WHEN: Tue Sep 16 13:28:57 2003
;; MSG SIZE rcvd: 89
Prior to the Arin updating their reverse delegation records I had created
CNAME records for the old names of our DNS servers within the mdx.ac.uk
domain. I had deleted the old address records for seva and wizzard.
seva.mdx.ac.uk. CNAME ns1.mdx.ac.uk.
wizzard.mdx.ac.uk. CNAME ns2.mdx.ac.uk.
I assumed that even though Arin had updated the reverse delegation records
at the time the above cname records would enable reverse lookups coming from
the Internet for hosts in our domain would work. However, whenever I tried
using host or nslookup or dig (without +trace option) I found I was unable
to resolve reverse lookups for hosts in our domain using DNS servers on the
Internet. Reverse lookups worked from within our own network resolved IP
addresses to the their associated names without any diffculty.
My understanding of the way DNS resolution works is that when a DNS client
issues a query to a local DNS server the server will recursively submit
queries on behalf of the client to the DNS servers, unless the an answer is
already stored in the local DNS server's cache. The local DNS server will
initially submit a query to root servers for both forward and reverse
lookups. The root servers will refer the local DNS server to DNS servers
lower in the hierarchy which store records for the next section of a domain.
If my understanding of the way DNS queries are resolved is correct then I am
puzzeled why a reverse lookup of our IP addresses of hosts in our domain
wouldn't work except if I specified a +trace option to dig. Even though
Arin updated its records yesterday I was able to find one DNS server which
demonstrates the error I was receiving.
Example of query without trace option to dig results in no answer
$ dig -x 158.94.254.12 @ns0.ja.net
; <<>> DiG 9.2.2 <<>> -x 158.94.254.12 @ns0.ja.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52737
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;12.254.94.158.in-addr.arpa. IN PTR
;; Query time: 4 msec
;; SERVER: 128.86.1.20#53(ns0.ja.net)
;; WHEN: Tue Sep 16 13:26:13 2003
;; MSG SIZE rcvd: 44
Whereas issuing the same query with the trace option resolves the reverse
lookup
$ dig +trace -x 158.94.254.12 @ns0.ja.net
; <<>> DiG 9.2.2 <<>> +trace -x 158.94.254.12 @ns0.ja.net
;; global options: printcmd
. 262786 IN NS L.ROOT-SERVERS.NET.
. 262786 IN NS M.ROOT-SERVERS.NET.
. 262786 IN NS A.ROOT-SERVERS.NET.
. 262786 IN NS B.ROOT-SERVERS.NET.
. 262786 IN NS C.ROOT-SERVERS.NET.
. 262786 IN NS D.ROOT-SERVERS.NET.
. 262786 IN NS E.ROOT-SERVERS.NET.
. 262786 IN NS F.ROOT-SERVERS.NET.
. 262786 IN NS G.ROOT-SERVERS.NET.
. 262786 IN NS H.ROOT-SERVERS.NET.
. 262786 IN NS I.ROOT-SERVERS.NET.
. 262786 IN NS J.ROOT-SERVERS.NET.
. 262786 IN NS K.ROOT-SERVERS.NET.
;; Received 436 bytes from 128.86.1.20#53(ns0.ja.net) in 5 ms
158.in-addr.arpa. 86400 IN NS CHIA.ARIN.NET.
158.in-addr.arpa. 86400 IN NS DILL.ARIN.NET.
158.in-addr.arpa. 86400 IN NS BUCHU.ARIN.NET.
158.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET.
158.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET.
158.in-addr.arpa. 86400 IN NS EPAZOTE.ARIN.NET.
158.in-addr.arpa. 86400 IN NS FIGWORT.ARIN.NET.
158.in-addr.arpa. 86400 IN NS GINSENG.ARIN.NET.
158.in-addr.arpa. 86400 IN NS arrowroot.ARIN.NET.
;; Received 241 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 141 ms
94.158.in-addr.arpa. 86400 IN NS NS1.MDX.AC.UK.
94.158.in-addr.arpa. 86400 IN NS NS2.MDX.AC.UK.
;; Received 89 bytes from 192.5.6.32#53(CHIA.ARIN.NET) in 78 ms
12.254.94.158.in-addr.arpa. 86400 IN PTR ns1.mdx.ac.uk.
94.158.in-addr.arpa. 86400 IN NS ns1.mdx.ac.uk.
94.158.in-addr.arpa. 86400 IN NS ns2.mdx.ac.uk.
;; Received 135 bytes from 158.94.254.12#53(NS1.MDX.AC.UK) in 3 ms
Another DNS server currently - 16 Sept 2003 1pm GMT - unable to resolve
reverse lookups for our IP addresses is bitsy.mit.edu I'm sure that as
Arin reverse delegation records are propagated among DNS servers on the
Internet that a reverse lookup to any DNS server will report the correct
answer.
Can someone clarify why reverse lookups using +trace option to dig will
work, whereas without the option they don't. A DNS server should be querying
the top level domain servers whether the trace option is or is not
specified.
thanks
Hoshi
Middlesex University
London, UK
More information about the bind-users
mailing list