reverse DNS resolution...
Derek Ragona
derek at computinginnovations.com
Tue Oct 23 07:49:26 PDT 2007
At 07:23 AM 10/23/2007, Eric F Crist wrote:
>On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote:
>
>>Eric F Crist wrote:
>>>Hey folks,
>>>
>>>We're trying to get reverse DNS resolution for a block of IPs
>>>(private). We've had the 10.x network working great at the office
>>>for quite some time now, but I'm having a problem getting the
>>>172.30.x network to work.
>>>
>>>Typing 'host <ip>' returns a valid result, however output from who,
>>>as well as other network services (IRC, apache) only see the IP. Is
>>>there something I'm missing?
>>>
>>>Thanks for the pointers!
>>Well, your DNS needs to be authoritative for both forward and reverse.
>>If you are trying to do this for less then a /24 block the zone files
>>get messy quick because of the 8bit boundaries. You seem to be trying
>>to do this for a /16. I'll bet you're missing the named.conf entries
>>and related reverse zone files:
>>
>>Odds are you'll want to have zones:
>>
>>zone "1.30.172.in.addr.arpa" {
>> type master;
>> file "master/1.30.172.in.addr.arpa
>> notify yes;
>>}
>>....
>>zone "255.30.172.in.addr.arpa" {
>> ;; or slave config since you'll have more than 1 ns
>> type slave;
>> file "slave/255.30.172.in.addr.arpa";
>> masters { x.y.z.a; };
>>}
>>
>>Or some larger splits of that.
>>
>>You're going to have give me a netmask for more help.
>
>/16 is the netmask, you already figured that one out. ;)
>
>As I already stated, if I do a host 172.30.x.x, I get a the correct
>reverse resolution. dig works as well. What isn't working is the
>reverse resolution in certain command outputs, etc. Maybe there is
>something missing here:
>
>== named.conf ==
>zone "30.172.IN-ADDR.ARPA" {
> type master;
> file "master/vpn.rev";
>};
>
>== vpn.rev ==
>
>$TTL 86400
>@ IN SOA snowball2.secure-computing.net root.secure- computing.net (
> 1 ; Serial
> 21600 ; Refresh
> 1200 ; Retry
> 1209600 ; Expire
> 3600 ; TTL
>)
> IN NS snowball2.secure-computing.net
>
>; Static vpn ips go here.
>21.1 IN PTR user1.vpn.
>25.1 IN PTR user2.vpn.
>29.1 IN PTR user3.vpn.
>33.1 IN PTR user4.vpn.
>37.1 IN PTR user5.vpn.
>41.1 IN PTR user6.vpn.
>45.1 IN PTR user7.vpn.
>49.1 IN PTR user8.vpn.
>53.1 IN PTR user9.vpn.
>
>; Auto-generate reverse dns for our dynamic block.
>$ORIGIN 0.30.172.in-addr.arpa.
>$GENERATE 2-254 $ PTR 172-30-0-$.vpn.
>
>
>For what it's worth, the hosts I'm testing have snowball2 listed as
>their primary DNS server. Again, host 172.30.1.21 successfully
>returns user1.vpn, etc. Just output in w and last, as well as
>certain services such as UnrealIRCd don't resolve these correctly.
>
>Thanks for the help folks!
>-----
>Eric F Crist
>Secure Computing Networks
>
You may need to check your /etc/nsswitch.conf on snowball, and any other
DNS servers. Also be sure you are using the same DNS lookup order for the
clients.
I didn't see snowball's PTR record, so I assume it is correct and all
servers find it correctly as the primary DNS.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the freebsd-questions
mailing list