DNS reverse zone problem?
nikolay.nenchev at rbb-sofia.raiffeisen.at
nikolay.nenchev at rbb-sofia.raiffeisen.at
Thu Jan 20 04:53:35 PST 2005
I wrote an article http://newweb.zytrax.com/books/dns/ch3/ about the
reverse zones.
the idea was that in classless network it is the same 0/26 with PTR
records = CNAME 1.0.z.y.x.in-addr.arpa.
and about the ip address is like that:
example
network : 111.111.111.0/26
ns1.example.com 111.111.111.1
named.conf:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query { //any;
10.0.0.1/24; #internal ip addresses
} ;
allow-transfer { none; } ;
//allow-recursion { none; } ;
version " " ;
// If named is being used only as a local resolver, this is a safe
default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
//listen-on { 127.0.0.1; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the
Internet.
/*
forwarders {
my-isp-dns;
};
*/
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
query-source address * port 53;
};
#disable lame logging
logging {
category lame-servers { null; };
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
// RFC 3152
zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
{
type master;
file "master/localhost-v6.rev";
};
// RFC 1886 -- deprecated
zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT"
{
type master;
file "master/localhost-v6.rev";
};
//###########################################
// CONFIGURATION
//###########################################
zone "example.com" {
type master;
file "master/example.com";
allow-query { any; };
allow-transfer { myslaves;
};
};
zone "0/26.111.111.111.in-addr.arpa" {
type master;
file "master/example.com.rev";
allow-query { any; };
allow-transfer { myslaves;
};
};
zone file:
$TTL 3600
$ORIGIN 0/26.111.111.111.in-addr.arpa.
@ IN SOA ns1.example.com. root.example.com. (
2005011901 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
3600 ) ; Minimum
@ IN NS ns1.example.com.
@ IN NS ns.example.com.
1 IN PTR ns1.example.com.
7 IN PTR mail1.example.com.
5 IN PTR example.com.
error message:
named[96142]: client 209.120.155.226#8539: query (cache)
'1.111.111.111.in-addr.arpa/PTR/IN' denied
>
> zone "0/26.XXX.XXX.XXX.in-addr.arpa." {
> type master;
> file "master/example.com.rev"
> allow-query { any; } ;
> allow-transfer {
> myslave server;
> } ;
> };
That's a very strange zone declaration. You'd normally have
a zone named 0.z.y.x.in-addr.arpa with PTR records from 1-62 therein,
and the above zone delegated to you. Then the z.y.x.in-addr.arpa zone
would include CNAMEs such as:
$ORIGIN z.y.x.in-addr.arpa.
1 IN CNAME 1.0.z.y.x.in-addr.arpa.
2 IN CNAME 2.0.z.y.x.in-addr.arpa.
Anyway, I think the zone name above is your problem.
Failing that, please explain how your reverse DNS is delegated (note: at
times like this, obfuscation of IP addresses is likely to make it harder
for me to understand your situation, so I may just give up if you
continue to do this).
Ceri
PS. This is *way* off-topic for current at .
More information about the freebsd-questions
mailing list