reverse DNS resolution...

Derek Ragona derek at computinginnovations.com
Tue Oct 23 07:49:26 PDT 2007 

At 07:23 AM 10/23/2007, Eric F Crist wrote:
>On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote:
>
>>Eric F Crist wrote:
>>>Hey folks,
>>>
>>>We're trying to get reverse DNS resolution for a block of IPs
>>>(private).  We've had the 10.x network working great at the office
>>>for quite some time now, but I'm having a problem getting the
>>>172.30.x network to work.
>>>
>>>Typing 'host <ip>' returns a valid result, however output from who,
>>>as well as other network services (IRC, apache) only see the IP.  Is
>>>there something I'm missing?
>>>
>>>Thanks for the pointers!
>>Well, your DNS needs to be authoritative for both forward and reverse.
>>If you are trying to do this for less then a /24 block the zone files
>>get messy quick because of the 8bit boundaries.  You seem to be trying
>>to do this for a /16.  I'll bet you're missing the named.conf entries
>>and related reverse zone files:
>>
>>Odds are you'll want to have zones:
>>
>>zone "1.30.172.in.addr.arpa" {
>>   type master;
>>   file "master/1.30.172.in.addr.arpa
>>   notify yes;
>>}
>>....
>>zone "255.30.172.in.addr.arpa" {
>>   ;; or slave config since you'll have more than 1 ns
>>   type slave;
>>   file "slave/255.30.172.in.addr.arpa";
>>   masters { x.y.z.a; };
>>}
>>
>>Or some larger splits of that.
>>
>>You're going to have give me a netmask for more help.
>
>/16 is the netmask, you already figured that one out. ;)
>
>As I already stated, if I do a host 172.30.x.x, I get a the correct
>reverse resolution.  dig works as well.  What isn't working is the
>reverse resolution in certain command outputs, etc.  Maybe there is
>something missing here:
>
>== named.conf ==
>zone "30.172.IN-ADDR.ARPA" {
>         type master;
>         file "master/vpn.rev";
>};
>
>== vpn.rev ==
>
>$TTL 86400
>@       IN SOA snowball2.secure-computing.net root.secure- computing.net (
>         1               ; Serial
>         21600           ; Refresh
>         1200            ; Retry
>         1209600         ; Expire
>         3600            ; TTL
>)
>         IN NS   snowball2.secure-computing.net
>
>; Static vpn ips go here.
>21.1    IN PTR  user1.vpn.
>25.1    IN PTR  user2.vpn.
>29.1    IN PTR  user3.vpn.
>33.1    IN PTR  user4.vpn.
>37.1    IN PTR  user5.vpn.
>41.1    IN PTR  user6.vpn.
>45.1    IN PTR  user7.vpn.
>49.1    IN PTR  user8.vpn.
>53.1    IN PTR  user9.vpn.
>
>; Auto-generate reverse dns for our dynamic block.
>$ORIGIN 0.30.172.in-addr.arpa.
>$GENERATE 2-254 $ PTR 172-30-0-$.vpn.
>
>
>For what it's worth, the hosts I'm testing have snowball2 listed as
>their primary DNS server.  Again, host 172.30.1.21 successfully
>returns user1.vpn, etc.  Just output in w and last, as well as
>certain services such as UnrealIRCd don't resolve these correctly.
>
>Thanks for the help folks!
>-----
>Eric F Crist
>Secure Computing Networks
>

You may need to check your /etc/nsswitch.conf on snowball, and any other 
DNS servers.  Also be sure you are using the same DNS lookup order for the 
clients.

I didn't see snowball's PTR record, so I assume it is correct and all 
servers find it correctly as the primary DNS.

         -Derek


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the freebsd-questions mailing list