reverse DNS
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Thu Jul 11 23:07:37 UTC 2002
>
> Ok, running dig (dig +norec version.bind txt chaos @127.0.0.1) on the
> loopback comes back fine.
>
> Running dig on the real IP also works.
>
> Running it from another dmz host to the real IP works as well.
>
> >From the LAN it works as well as outside.
>
> All the tests to the 12.x.x.x address, return the same results:
>
> [root at glaids root]# dig +norec version.bind txt chaos @12.108.32.11
>
> ; <<>> DiG 9.1.3 <<>> +norec version.bind txt chaos @12.108.32.11
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55320
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;version.bind. CH TXT
>
> ;; ANSWER SECTION:
> version.bind. 0 CH TXT "9.1.3"
>
> ;; Query time: 21 msec
> ;; SERVER: 12.108.32.11#53(12.108.32.11)
> ;; WHEN: Thu Jul 11 12:19:06 2002
> ;; MSG SIZE rcvd: 48
>
> All the tests to the 10.x.x.x address, return the same results:
>
> [root at glamon root]# dig +norec version.bind txt chaos @10.117.3.11
>
> ; <<>> DiG 9.1.3 <<>> +norec version.bind txt chaos @10.117.3.11
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6662
> ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;version.bind. CH TXT
>
> ;; ANSWER SECTION:
> version.bind. 0 CH TXT "9.1.3"
>
> ;; Query time: 34 msec
> ;; SERVER: 10.117.3.11#53(10.117.3.11)
> ;; WHEN: Thu Jul 11 12:05:54 2002
> ;; MSG SIZE rcvd: 48
>
> I do not have any 10.IN-ADDR.ARPA zones in any files as I'm using split dns.
> All machines in the dmz have a real 10.x.x.x IP, so should I add the
> 10.IN-ADDR.ARPA zone? If so how would I hide these addresses from the
> Internet?
Now you tell us you are using split DNS. How do you expect
anyone to be able to help you if you don't supply *all* the
details.
Which nameserver is your internal nameserver?
Which nameserver is your external nameserver?
What do you have in /etc/resolv.conf?
Were you trying to look up the reverse of something served by
the internal or external nameserver?
Are there *no* errors reported in the logs of both servers
when they start.
Mark
>
> -Devon
>
>
>
> -----Original Message-----
> From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> Sent: Wednesday, July 10, 2002 8:19 PM
> To: Devon Harding - GTHLA
> Cc: bind-users at isc.org
> Subject: Re: reverse DNS
>
>
> First things first. You need to make sure you can query
> the nameserver from the nameserver. Try the loopback address
> first first with a non recursive query.
>
> dig +norec version.bind txt chaos @127.0.0.1
>
> Next try the external interface on the box
>
> dig +norec version.bind txt chaos @10.x.x.x
>
> Providing the nameserver is running these should get answers.
> If you don't get answers then you need to check the firewall
> on the box (ipchains and/or iptables).
>
> Next you need to work outward.
> From another box in you dmz try to make a query to your server
>
> dig +norec version.bind txt chaos @10.x.x.x
>
> If this doesn't work check the firewall on the test machine
> and on the nameserver.
>
> Then from your lan
>
> dig +norec version.bind txt chaos @10.x.x.x
> and/or
> dig +norec version.bind txt chaos @12.x.x.x
>
> depending apon where the NAT functionality is occuring.
>
> Then from outside
>
> dig +norec version.bind txt chaos @12.x.x.x
>
> Note: since you are using RFC 1918 (net 10) addresses you should
> also be serving the appropriate IN-ADDR.ARPA zones (10.IN-ADDR.ARPA)
> You may also want to use views to hide 10.IN-ADDR.ARPA from outside
> but keep things simple first then work up.
>
> Mark
>
> > This is the current setup of my dns server in my dmz.
> >
> >
> > 12.x.x.x (Static NAT)
> > DMZ------DNS Server (Bind 9.1.3)
> > | 10.x.x.x (Real IP)
> > |
> > Internet----------FW-1
> > |
> > |
> > LAN
> >
> > /etc/named.conf:
> > options {
> > directory "/var/named";
> > };
> > key "rndckey"{
> > algorithm "hmac-md5";
> > secret "ko3EjjIw+4Tf8BKHZqjq+g==";
> > };
> > controls{
> > inet 127.0.0.1 allow{
> > localhost;
> > } keys{
> > "rndckey";
> > };
> > };
> > zone "." {
> > type hint;
> > file "named.ca";
> > };
> > zone "domain.com" {
> > type master;
> > file "domain.com";
> > notify yes;
> > };
> > zone "x.x.12.IN-ADDR.ARPA" {
> > type master;
> > file "12.x.x";
> > notify yes;
> > };
> > zone "0.0.127.IN-ADDR.ARPA" {
> > type master;
> > file "127.0.0";
> > };
> >
> > /var/named/domain.com:
> > $TTL 43200
> > @ IN SOA felix.domain.com.
> > hostmaster.felix.domain.com. (
> > 2002070102 ; serial
> > 30 ; refresh
> > 15 ; retry
> > 14D ; expire
> > 12H ; default_ttl
> > )
> >
> > ns2 IN A 12.x.x.x
> > ns1 IN A 12.x.x.x
> > www IN A 12.x.x.x
> > mail IN A 12.x.x.x
> > mail2 IN A 12.x.x.x
> > @ IN MX 5 mail.domain.com.
> > @ IN MX 10 mail2.domain.com.
> > @ IN NS ns1.domain.com.
> > @ IN NS ns2.domain.com.
> >
> > /var/named/12.108.32:
> > $TTL 43200
> > @ IN SOA ns1.domain.com.
> > hostmaster.felix.domain.com. (
> > 2002070102 ; serial
> > 1H ; refresh
> > 15 ; retry
> > 14D ; expire
> > 12H ; default_ttl
> > )
> > IN NS ns1.domain.com.
> > IN NS ns2.domain.com.
> >
> > 110 IN PTR systems1.domain.com.
> > 65 IN PTR netop.domain.com.
> >
> > -Devon
> >
> > -----Original Message-----
> > From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> > Sent: Wednesday, July 10, 2002 10:37 AM
> > To: Devon Harding - GTHLA
> > Cc: bind-users at isc.org
> > Subject: Re: reverse DNS
> >
> >
> > > The 12.x.x file actuallly looks like this:
> > >
> > > $TTL 43200
> > > @ IN SOA ns1.domain.com.
> > > hostmaster.felix.domain.com. (
> > > 2002070102 ; serial
> > > 1H ; refresh
> > > 15 ; retry
> > > 14D ; expire
> > > 12H ; default_ttl
> > > )
> > > 110 IN PTR systems1.domain.com.
> > > 65 IN PTR netop.domain.com.
> > > 12 IN PTR vpn.domain.com.
> > > 18 IN PTR glamon.domain.com.
> > > 44 IN PTR mail.doamin.com.
> > > 47 IN PTR mail2.domain.com.
> > > 228 IN PTR mason2.domain.com.
> > > 61 IN PTR webmail1.doamin.com.
> > > 62 IN PTR webmail2.domain.com.
> > > @ IN NS ns1.domain.com.
> > > @ IN NS ns2.domain.com.
> > >
> > > I left a few lines out in the last post. But the NS records are there.
> >
> > Conventionly the NS records follow the SOA record.
> > >
> > > What's causing it not to connect from 'dig -x x.x.x.x'?
> >
> > Firewall? Error in resolv.conf?
> >
> > Mark
> >
> > >
> > > -Devon
> > >
> > > -----Original Message-----
> > > From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> > > Sent: Tuesday, July 09, 2002 5:57 PM
> > > To: Devon Harding - GTHLA
> > > Cc: bind-users at isc.org
> > > Subject: Re: reverse DNS
> > >
> > >
> > > >
> > > > For some reason, I cannot to a reverse lookup on my IP address on my
> > RH7.2
> > > > system. When I do a 'dig -x 12.x.x.x', I get the following error: ';;
> > > > connection timed out; no servers could be reached'
> > >
> > > Did you read your log files before posting?
> > > You are missing the NS records for the zone.
> > >
> > > Mark
> > >
> > > > Here are my DNS files:
> > > >
> > > > named.conf
> > > >
> > > > options {
> > > > directory "/var/named";
> > > > };
> > > > key "rndckey"{
> > > > algorithm "hmac-md5";
> > > > secret "ko3EjjIw+4Tf8BKHZqjq+g==";
> > > > };
> > > > controls{
> > > > inet 127.0.0.1 allow{
> > > > localhost;
> > > > } keys{
> > > > "rndckey";
> > > > };
> > > > };
> > > > zone "." {
> > > > type hint;
> > > > file "named.ca";
> > > > };
> > > > zone "domain.com" {
> > > > type master;
> > > > file "domain.com";
> > > > notify yes;
> > > > };
> > > > zone "x.x.12.IN-ADDR.ARPA" {
> > > > type master;
> > > > file "12.x.x";
> > > > notify yes;
> > > > };
> > > > zone "0.0.127.IN-ADDR.ARPA" {
> > > > type master;
> > > > file "127.0.0";
> > > > };
> > > >
> > > > 12.x.x:
> > > >
> > > > $TTL 43200
> > > > @ IN SOA ns1.domain.com.
> hostmaster.domain.com.
> > (
> > > > 2002070102 ; serial
> > > > 1H ; refresh
> > > > 15 ; retry
> > > > 14D ; expire
> > > > 12H ; default_ttl
> > > > )
> > > > 110 IN PTR systems1.domain.com.
> > > > 65 IN PTR netop.domain.com.
> > > >
> > > > -Devon
> > > >
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list