address resolution & reverse

Kevin Darcy kcd at daimlerchrysler.com
Wed Apr 18 22:59:08 UTC 2001 

Jim Pazarena wrote:

> May thnaks for your response.. I almost gave up.
>
> After more careful scrutiny, I see that the exact IPs people are trying
> to reverse resolve are IPs to which I have do not have direct control over.
>
> Specifically.
>     I control the range 209.53.238/24 and it reverse maps fine.
>     My web server is remotely located at  64.69.87.111
>     I've got the forward reference setup in *my* DNS of
>     www.qcislands.net  IN A   64.69.87.111  since I control "qcislands.net"
>
> and the agency hosting my machine has the reverse IP setup in their DNS
> since the actual IP addresses are theirs.
>
> Why would *any* server be hitting *my* DNS server for reverse mapping
> of 64.69.87.111 ?

Probably just a broken resolver implementation, or one which
"opportunistically" hopes that the same authoritative server(s) host the forward
and reverse zones (thus short-circuiting the process of following referral chains
in many cases).

> I don't have a zone setup for "111.87.69.64.in-addr.arpa" in *my* DNS
> because it's not my range.
>
> I've got remote querying of REMOTE IPs denied in my named.conf.
>
> How can I permit remote queries to this specific IP while denying
> remote queries of remote IPs in general?

You could arrange to set yourself up as a master or slave for those
addresses/ranges. In the case of master, you'd have to have some way of keeping the
data up-to-date.


- Kevin


>
>
>  >Subject: Re: address resolution & reverse
>  >Date: Wed, 18 Apr 2001 15:39:08 -0400
>  >From: Kevin Darcy <kcd at daimlerchrysler.com>
>
>  >When a client does a "reverse" lookup, i.e. when it wants to map an address
>  >back to a name, it takes the address, reverses the octets, and appends
>  >in-addr.arpa to it. So, a reverse lookup of 209.53.238.1 actually comes to the
>  >nameserver as a query of 1.238.53.209.in-addr.arpa. You need to permit queries
>  >of the 238.53.209.in-addr.arpa or 53.209.in-addr.arpa zone (depending on how
>  >the reverse address space is delegated) in order to answer those queries.
>
>  >You said that querying 209.53.238.1 works. But the important question is: from
>  >*where* did it work? If you queried it from a client that was in your
>  >allow-query ACL, then obviously it worked. But apparently it's being denied
>  >for other clients. If this turns out to be some sort of ACL problem, then
>  >please post your named.conf, otherwise it'll just be guesswork trying to
>  >figure out the problem.
>
>  >- Kevin
>
>  >Jim Pazarena wrote:
>
>  >> I have seen "client XX.XX.XX.XX#XXXX: query denied" in my logs, and decided
>  >> to investigate it, so I turned on query logging.
>  >>
>  >> I find that my DNS is denying queries like: 1.238.53.209.in-addr.arpa
>  >>
>  >> where if you query:  ciu.qcislands.net, it works
>  >> and if you query:    209.53.238.1,      it also works
>  >>
>  >> Is there something I have to do to enable queries of the in-addr.arpa type?
>  >> --
> --
> Jim Pazarena     mailto:paz at ccstores.com

More information about the bind-users mailing list