reverse dns does not work

Kevin Darcy kcd at daimlerchrysler.com
Wed Sep 6 00:48:51 UTC 2000 

This is all messed up:

.    Concentric delegates 64/26.83.112.216.in-addr.arpa to all 4 of its nameservers as well as
your server, but none of their nameservers answer authoritatively for the zone.

.    It looks like nameserver3.concentric.net was configured as a slave of the zone at some
point, and then zone transfers broke, since it has a stale SOA serial number (2000041919 instead
of 2000090118).

.    Furthermore, it looks like the zone on nameserver3.concentric.net has expired, since it is
returning SERVFAIL for queries of non-existent names in its copy of the zone. Since the "100"
entry apparently isn't in its stale copy of the zone, it's returning SERVFAIL for that.

.    Looks like nameserver2.concentric.net is also affected: when you do an SOA query of
64/26.83.112.216.in-addr.arpa from that server, you get the same stale serial number as above.
Yet when you make a 216.112.83.100 query, nameserver2 is able to resolve it
(non-authoritatively). This probably means that nameserver2 is *forwarding* to nameserver3, but
with the "forward first" behavior. This explains why it return the same stale SOA as nameserver3
while at the same time being able, unlike nameserver3, to resolve the PTR -- because the
SERVFAIL would cause it to fetch the PTR record itself.

Tell Concentric that if they delegate a zone to 4 of their servers, then ALL 4 OF THOSE SERVERS
SHOULD BE SUCCESSFULLY TRANSFERRING THE ZONE. Apparently they're not even close to this: looks
like they have two nameservers which were never configured as slaves, one which was a slave but
zone transfers broke, and another which is forwarding to the broken one.

In the meantime, I'd stop listing nameserver3.concentric.net in your zone NS'es. It's usually a
bad idea to have only 1 NS in a zone, but if that happens to be the only NS which can provide
authoritative, non-SERVFAIL answers to the queries, that's better than wasting everyone's time
and resources with garbage responses...


- Kevin


bzhang at sohar.com wrote:

> If you point server to nameserver1.concentric.net, you can reverse dns
> lookup 216.112.83.70 (fermi.sohar.com),
> 216.112.83.111(sohar60.sohar.com) and finally the troublesome
> 216.112.83.100(sohar54.soahr.com). But if you point to
> nameserver3.concentric.net, you can reverse dns lookup the first two,
> but not the troublesome 216.112.83.100.
>
> I have talked with at least six different people at Concentric.net and
> got different answers each time. What should I tell me to correct
> everything?
>
> Bing
>
> On 1 Sep 2000 21:17:19 -0700, Kevin Darcy <kcd at daimlerchrysler.com>
> wrote:
>
> >
> >nameserver3.concentric.net still appears to be flaky, sometimes answering with only a CNAME
> >in the Answer Section, other times with SERVFAIL. So it's the luck of the draw whether the
> >query gets answered correctly or not.
> >
> >
> >- Kevin
> >
> >Mr. James W. Laferriere wrote:
> >
> >>         Hello Bing , I do a nslookup 216.112.83.100 , I get :
> >> Server:  ns1.tpl.lib.wa.us
> >> Address:  192.103.195.1
> >>
> >> Name:    sohar54.sohar.com
> >> Address:  216.112.83.100
> >> Aliases:  100.83.112.216.in-addr.arpa
> >>
> >>         From another host :
> >> Server:  ns1.baby-dragons.com
> >> Address:  199.33.245.254
> >>
> >> Name:    sohar54.sohar.com
> >> Address:  216.112.83.100
> >> Aliases:  100.83.112.216.in-addr.arpa
> >>
> >>         So something else you have changed or your provider finally
> >>         heard your update request got it working now .
> >>
> >>
> >>
> >> On 2 Sep 2000 bzhang at sohar.com wrote:
> >> > OK, I changed my NS not pointing to CNAME. Now it is pointing
> >> > sohar58.sohar.com.
> >> >
> >> > If you set server to ours, sohar58.sohar.com, you can resolve the
> >> > 216.112.83.100. But if you point to the other server,
> >> > nameserver3.concentric.net, which is our ISP and servs as our
> >> > secondary dns server, you can not resolve it. What is the problem?
> >> >
> >> > I do not know how our ISP set up nameserver3.concentric.net as our
> >> > seondary dns server. We asked them to be our secondary server, they
> >> > agreed, but never bothered to ask anything about our dns map.
> >> >
> >> > BTW: how do you do rever dns look up for 216.112.83.100? What I did
> >> > was inside nslookup, I just typed 216.112.83.100 or set type=ptr  then
> >> > 216.112.83.100, both methods worked. If I tried
> >> > 100.64/26.83.112.216.in-addr.arpa, it did not work. Am I missing
> >> > something?
> >> >
> >> > Thanks
> >> >
> >> > Bing
> >> >
> >> > On 1 Sep 2000 16:43:39 -0700, Kevin Darcy <kcd at daimlerchrysler.com>
> >> > wrote:
> >> >
> >> > >
> >> > >Hmmm... I swear that wasn't working before. Either something changed recently, or
> >> > >I fat-fingered...
> >> > >
> >> > >By the way, Bing, you really shouldn't point your NS record at a CNAME (dns.sohar.com).
> >> > >That's illegal. Note that the only *other* nameserver for the
> >> > >64/26.83.112.216.in-addr.arpa zone (nameserver3.concentric.net) is returning
> >> > >SERVFAIL for the queries. Between the sick nameserver and the illegal NS, I'm not
> >> > >surprised that other nameservers may be having trouble resolving the PTR...
> >> > >
> >> > >
> >> > >- Kevin
> >> > >
> >> > >
> >> > >Mr. James W. Laferriere wrote:
> >> > >
> >> > >>         Hello All ,  Might try the below .  Hth ,  JimL
> >> > >>
> >> > >>  root at filesrv1:~# dig @dns.sohar.com
> >> > >> 100.64/26.83.112.216.in-addr.arpa. any any
> >> > >>
> >> > >> ; <<>> DiG 8.2 <<>> @dns.sohar.com 100.64/26.83.112.216.in-addr.arpa. any any
> >> > >> ; (1 server found)
> >> > >> ;; res options: init recurs defnam dnsrch
> >> > >> ;; got answer:
> >> > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> >> > >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >> > >> ;; QUERY SECTION:
> >> > >> ;;      100.64/26.83.112.216.in-addr.arpa, type = ANY, class = ANY
> >> > >>
> >> > >> ;; ANSWER SECTION: 100.64/26.83.112.216.in-addr.arpa.  1D IN PTR  sohar54.sohar.com.
> >> > >>
> >> > >> ;; Total query time: 111 msec
> >> > >> ;; FROM: filesrv1 to SERVER: dns.sohar.com  216.112.83.112
> >> > >> ;; WHEN: Fri Sep  1 15:40:58 2000
> >> > >> ;; MSG SIZE  sent: 51  rcvd: 82
> >> > >>
> >> > >> On Fri, 1 Sep 2000, Kevin Darcy wrote:
> >> > >> > Well, you may be able to, but I *can't* reverse-resolve that address.
> >> > >> > Concentric reports that 100.83.112.216.in-addr.arpa is aliased to
> >> > >> > 100.64/26.83.112.216.in-addr.arpa, and that dns.sohar.com is authoritative
> >> > >> > for 64/26.83.112.216.in-addr.arpa, but when I ask dns.sohar.com about
> >> > >> > 100.64/26.83.112.216.in-addr.arpa, it doesn't seem to know anything about it
> >> > >> > -- it answers non-authoritatively with just the CNAME. It's as if it doesn't
> >> > >> > have a definition for the 64/26.83.112.216.in-addr.arpa zone...
> >> > >> > - Kevin
> >> > >>
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> >
> >>
> >>        +----------------------------------------------------------------+
> >>        | James   W.   Laferriere | System  Techniques | Give me VMS     |
> >>        | Network        Engineer | 25416      22nd So |  Give me Linux  |
> >>        | babydr at baby-dragons.com | DesMoines WA 98198 |   only  on  AXP |
> >>        +----------------------------------------------------------------+
> >
> >
> >
> >
> >
> >

More information about the bind-users mailing list