reverse DNS ?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Wed Jun 5 07:25:24 UTC 2002 

Brian Bergin <see_footer at domain.com> wrote:

> Trying to figure out how Reverse DNS works on the Internet.  We have
> connectivity from 3 providers and /24's from all of them.  2 of the providers
> allow us to provide RDNS using our internal DNS servers.  The 3rd provider
> claims it's not possible to do what the first 2 are doing.  So for example (IPs
> changed for security):

> Provider 1's /24 is:  28.11.11.0-28.11.11.254
> Provider 2's /24s are: 48.11.11.0-48.11.12.254
> Provider 3's /24's are: 88.11.11.0-88.11.12.254

> We provide RDNS for 1 & 2.  3 says it's not possible.  Does it not work this
> way:

3 probably do not _want_ you to do this.

What they need to do is to mail a delegation change to arin/ripe/apnic
where the /24 is delegated to your nameservers instead of the ISP.

I would push this hard, up to the line that you drop the
3-rd provider if they do not comply !


> For any provider, they get addresses from ARIN, say 88.11.0.0-88.11.254.0 and
> tell ARIN the authoritative DNS servers for that block.  Then, they can then
> setup DNS on their end for our 2 subnets that they've setup for us and point
> RDNS to us so that reverse resolution works like this:

For a fill /24 it's simplest to re-delegate.

For the (few) ISP that has a /16 they can delegate themself. Which
provider are you talking about ( we all want to know so we
can avoid them )



> A client computer makes RDNS request for 88.11.11.4, looks to root servers finds
> that somedns.domaid.com on 88.11.1.12 is authoritative for the parent block and
> sends the client there.  somedns.domaid.com doesn't know what the RDNS is for
> 88.11.11.4 but knows that dns1.ourdomain.com on 88.11.11.2 is authoritative for
> 88.11.11.0 and sends the client there.  dns1.ourdomain.com is then queried and
> returns: host.ourdomain.com.


> If that's not how it works, how are provider 1 & 2 doing this?  I just don't
> want to provide unsecured zone transfers to the ISP for these blocks.  We
> require secured updates, don't allow transfers to DNS servers not listed on the
> name servers page, and secondary servers hosted in another location transfer
> over a VPN link.  Thanks...
> Thanks...
> Brian Bergin

> I can be reached via e-mail at 
> cisco_dot_news_at_comcept_dot_net.  
> Replace _word_ with the corresponding 
> punctuation.


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list