DNS reverse zone problem?

nikolay.nenchev at rbb-sofia.raiffeisen.at nikolay.nenchev at rbb-sofia.raiffeisen.at
Thu Jan 20 04:53:35 PST 2005


I wrote an article http://newweb.zytrax.com/books/dns/ch3/ about the 
reverse zones. 
the idea was that in classless network it is the same 0/26 with PTR 
records = CNAME  1.0.z.y.x.in-addr.arpa.
and about the ip address is like that:
example
network : 111.111.111.0/26
ns1.example.com 111.111.111.1

named.conf:
options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        allow-query     { //any;
                10.0.0.1/24;  #internal ip addresses
          } ;
        allow-transfer { none; } ;
        //allow-recursion { none; } ;
        version " " ;
// If named is being used only as a local resolver, this is a safe 
default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        //listen-on     { 127.0.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
//      forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the 
Internet.
/*
        forwarders {
          my-isp-dns;
        };
*/
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND versions 8 and later
         * use a pseudo-random unprivileged UDP port by default.
         */
        query-source address * port 53;
};

#disable lame logging

logging {
category lame-servers { null; };

};

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};

// RFC 3152
zone 
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" 
{
        type master;
        file "master/localhost-v6.rev";
};

// RFC 1886 -- deprecated
zone 
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" 
{
        type master;
        file "master/localhost-v6.rev";
};

 
//###########################################
//              CONFIGURATION
//###########################################

zone "example.com" {
        type master;
        file "master/example.com";
        allow-query { any; };
        allow-transfer { myslaves;
                 };
};

zone "0/26.111.111.111.in-addr.arpa" {
        type master;
        file "master/example.com.rev";
        allow-query { any; };
        allow-transfer { myslaves;
                 };
};
 zone file:

$TTL 3600
$ORIGIN 0/26.111.111.111.in-addr.arpa.
@ IN SOA ns1.example.com. root.example.com. (
                        2005011901      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        3600 )          ; Minimum

@       IN NS   ns1.example.com.
@       IN NS   ns.example.com.

1     IN PTR  ns1.example.com.
7     IN PTR  mail1.example.com.
5     IN PTR example.com.


error message:

named[96142]: client 209.120.155.226#8539: query (cache) 
'1.111.111.111.in-addr.arpa/PTR/IN' denied



> 
> zone "0/26.XXX.XXX.XXX.in-addr.arpa." {
>         type master;
>         file "master/example.com.rev"
>         allow-query { any; } ;
>         allow-transfer {
>                         myslave server;
>         } ;
> };

That's a very strange zone declaration.  You'd normally have
a zone named 0.z.y.x.in-addr.arpa with PTR records from 1-62 therein,
and the above zone delegated to you.  Then the z.y.x.in-addr.arpa zone
would include CNAMEs such as:

$ORIGIN z.y.x.in-addr.arpa.
1                IN              CNAME           1.0.z.y.x.in-addr.arpa.
2                IN              CNAME           2.0.z.y.x.in-addr.arpa.

Anyway, I think the zone name above is your problem.

Failing that, please explain how your reverse DNS is delegated (note: at
times like this, obfuscation of IP addresses is likely to make it harder
for me to understand your situation, so I may just give up if you
continue to do this).

Ceri

PS. This is *way* off-topic for current at .


More information about the freebsd-questions mailing list