reverse lookup via "type forward" - possible? realistic? feasible?
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Wed Mar 17 19:13:33 UTC 2004
Ian Diddams <didds2 at excite.com> wrote:
> Just built a brand spanking new dns server using bind 9.2.3.
> Its working a treat - master for 127.0.0 and resolves external
> addresses via root.hints.
> It also - as requested by users - (forward) resolves internal domain
> addresses via a type forward statement.
> here's the named.conf :
> options {
> directory "/var/named";
> };
> =20
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "127.0.0";
> };
> =20
> zone "." {
> type hint;
> file "root.hints";
> };
> =20
> zone "wxyz.co.uk" {
> type forward;
> forwarders {
> a.b.c.d;
> e.f.g.h;
> };
> };
> where the two forwarders a.b.c.d and e.f.g.h are internal dns servers.
> All well and good.
> But... how do I resolve reverse lookups? e.g. if fred.wxyz.co.uk has
> ip
> 121.122.123.124, how do I use a similar concept (ie type forward) to
> resolve that?
> Presumably something along the lines of=20
> zone "123.122.121" { [or should that just be "121.122.123" ?]
> type forward;
> forwarders {
> a.b.c.d;
> e.f.g.h;
> };
> };
Not really, remember that ip-addresses are "delegated" under
in-addr.arpa ; the above should read :
zone "123.122.121.in-addr.arpa" {
type forward;
forwarders {
a.b.c.d;
e.f.g.h;
};
};
> But IF that's true... and wxyz.co.uk actually has dozens of subnets,
> then presumably I would need a "type forward" section for every
> subnet?
Yes, unless you cross the 8-bit limit, if a full "B-net" is
used the above could be written :
zone "122.121.in-addr.arpa" {
type forward;
forwarders {
a.b.c.d;
e.f.g.h;
};
};
> And if THAT's true, if a new subnet is introduced naturally the
> named.conf would need to be updated to reflect it?
Yes.
> Finally, presumably the whole thing could be covered by a forwarder
> statement within the options section (and the type forward section
> above removed I guess!)... what effect would that have on the
> external resolution (if any) given that the users for reasons best
> known to themselves require THIS dns box to resolve external addresses
> and NOT the forwarders. (hope that last bit made sense!).
Use views to do that.=20
> cheers!
> ian
--=20
Peter H=E5kanson =20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out=
,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list