address resolution & reverse
Kevin Darcy
kcd at daimlerchrysler.com
Wed Apr 18 22:59:08 UTC 2001
Jim Pazarena wrote:
> May thnaks for your response.. I almost gave up.
>
> After more careful scrutiny, I see that the exact IPs people are trying
> to reverse resolve are IPs to which I have do not have direct control over.
>
> Specifically.
> I control the range 209.53.238/24 and it reverse maps fine.
> My web server is remotely located at 64.69.87.111
> I've got the forward reference setup in *my* DNS of
> www.qcislands.net IN A 64.69.87.111 since I control "qcislands.net"
>
> and the agency hosting my machine has the reverse IP setup in their DNS
> since the actual IP addresses are theirs.
>
> Why would *any* server be hitting *my* DNS server for reverse mapping
> of 64.69.87.111 ?
Probably just a broken resolver implementation, or one which
"opportunistically" hopes that the same authoritative server(s) host the forward
and reverse zones (thus short-circuiting the process of following referral chains
in many cases).
> I don't have a zone setup for "111.87.69.64.in-addr.arpa" in *my* DNS
> because it's not my range.
>
> I've got remote querying of REMOTE IPs denied in my named.conf.
>
> How can I permit remote queries to this specific IP while denying
> remote queries of remote IPs in general?
You could arrange to set yourself up as a master or slave for those
addresses/ranges. In the case of master, you'd have to have some way of keeping the
data up-to-date.
- Kevin
>
>
> >Subject: Re: address resolution & reverse
> >Date: Wed, 18 Apr 2001 15:39:08 -0400
> >From: Kevin Darcy <kcd at daimlerchrysler.com>
>
> >When a client does a "reverse" lookup, i.e. when it wants to map an address
> >back to a name, it takes the address, reverses the octets, and appends
> >in-addr.arpa to it. So, a reverse lookup of 209.53.238.1 actually comes to the
> >nameserver as a query of 1.238.53.209.in-addr.arpa. You need to permit queries
> >of the 238.53.209.in-addr.arpa or 53.209.in-addr.arpa zone (depending on how
> >the reverse address space is delegated) in order to answer those queries.
>
> >You said that querying 209.53.238.1 works. But the important question is: from
> >*where* did it work? If you queried it from a client that was in your
> >allow-query ACL, then obviously it worked. But apparently it's being denied
> >for other clients. If this turns out to be some sort of ACL problem, then
> >please post your named.conf, otherwise it'll just be guesswork trying to
> >figure out the problem.
>
> >- Kevin
>
> >Jim Pazarena wrote:
>
> >> I have seen "client XX.XX.XX.XX#XXXX: query denied" in my logs, and decided
> >> to investigate it, so I turned on query logging.
> >>
> >> I find that my DNS is denying queries like: 1.238.53.209.in-addr.arpa
> >>
> >> where if you query: ciu.qcislands.net, it works
> >> and if you query: 209.53.238.1, it also works
> >>
> >> Is there something I have to do to enable queries of the in-addr.arpa type?
> >> --
> --
> Jim Pazarena mailto:paz at ccstores.com
More information about the bind-users
mailing list