reverse DNS servfail

Brett Carr brettcarr at ripe.net
Thu Jul 21 13:40:13 UTC 2005


On Thu, 21 Jul 2005, /dev/rob0 wrote:

> A customer of mine just today got a new ISP. The new IP is
> 69.15.253.106. At this time the reverse lookup is failing:
> $ host 69.15.253.106
> Host 106.253.15.69.in-addr.arpa not found: 2(SERVFAIL)
> $ host -tns 253.15.69.in-addr.arpa
> Host 253.15.69.in-addr.arpa not found: 2(SERVFAIL)
> $ host -tns 15.69.in-addr.arpa
> Host 15.69.in-addr.arpa not found: 2(SERVFAIL)
>
> I asked the ISP (cbeyond.net) for RFC 2317, section 5.2, classless rDNS
> delegation: with CNAMEs pointing to PTR records in our forward zone. (I
> do have and can query the PTR's corresponding to my CNAME requests.) The
> customer service people talked to their "DNS engineers" [snicker] who
> told them to tell me:
>      "Our DNS Engineers have stated that Cbeyond's DNS service does
>       not support this form of classless addressing."
> Before I asked, I tested and got NXDOMAIN on this IP. Now it's SERVFAIL.
>
> Before I approach the "DNS engineers" I want to know a bit more.
>
> 1. Is there a way to tell if they're running BIND?
>     a. If so, why would it "not support" RFC 2317 classless delegation?
>     b. If not, can this be true? Maybe in their junkware the in-addr.arpa
>        zones are hard-coded to only allow PTR records?

fpdns reports the following for them:

$ ./fpdns.pl beyond.cbeyond.net.
fingerprint (beyond.cbeyond.net., 66.180.96.11): TinyDNS 1.05

$ ./fpdns.pl infinity.cbeyond.net.
fingerprint (infinity.cbeyond.net., 64.238.96.11): TinyDNS 1.05

$ ./fpdns.pl to.cbeyond.net.
fingerprint (to.cbeyond.net., 64.238.96.9): TinyDNS 1.05


Well as far as I am aware there is no reason bind or for that matter any
other popular dns software can't do RFC2317, but I have no experience
with TinyDNS so over to someone else there.
Its more likely there policy is they dont delegate beyond a /24 for certain
levels of service (you get what you pay for) or they don't have experience
of doing it.

> 2. Is there a way to tell from the outside why they're getting SERVFAIL?

do a dig +trace 106.253.15.69.in-addr.arpa ptr and it gets itself into a
rather nasty loop which is I guess whats causing your servfail. Not sure
why this is happenning but I'm guessing something is mis configured at
their end.

> 3. Is anyone else familiar with Cbeyond in particular?
>

Never heard of em, but hey I'm in Europe :)

> Oh, I looked up another IP in Cbeyond's block, and it wasn't SERVFAIL.
> These are the servers:
> $ host -tns 20.15.69.in-addr.arpa
> 20.15.69.in-addr.arpa name server infinity.cbeyond.net.
> 20.15.69.in-addr.arpa name server to.cbeyond.net.
> 20.15.69.in-addr.arpa name server beyond.cbeyond.net.
>
> I don't understand why I can get 20.15.69.in-addr.arpa but I can't get
> 15.69.in-addr.arpa.

Something looks very misconfigured dig +trace for 15.69.in-addr.arpa loops
aswell :)

--
Brett Carr                              Ripe Network Coordination Centre
System Engineer -- Operations Group     Singel 258 Amsterdam NL
http://www.ripe.net
GPG Key fingerprint = F20D B2A7 C91D E370 44CF  F244 B6A1 EF48 E743 F7D8




More information about the bind-users mailing list