Forward/reverse comparison

Brad Knowles brad.knowles at skynet.be
Mon May 28 14:35:45 UTC 2001 

At 8:32 AM -0400 5/28/01, Todd Snyder wrote:

>  1) We have 2 different IP blocks assigned to us, and we do forward/reverse
>  for them, split into many domains.  Is it BAD if we have more than one
>  forward/reverse for a single ip? (ie: 123.123.123.123 resolves to
>  nocserv1.tor.maxlink.com AND nocserv1.maxlink.net)

	It is not technically illegal, but most applications can only 
deal with one IP address resolving back into one name, and they may 
not work right if you don't keep a one-to-one reverse name resolution.

	So, I would suggest that you avoid this, if at all possible. 
Instead, decide on the one true "canonical" name for the machine, and 
have the IP address resolve back to that name.

	For forward name resolution, you may or may not want to have all 
"aliases" for this machine actually be CNAME records pointing to this 
name, depending on just exactly what it is you're trying to do with 
these names.

>  2) I want to go through ALL of our IP space and compare forwards to reverses
>  ... I'm going to write a script that uses the deadly NSLOOKUP to do a
>  forward on an IP, grab the name, then do a reverse on it, and if they don't
>  match, dump it to a file.  Does anyone have a better way to do it?  It's
>  going to pound our server, so I'll do it overnight or something, but if
>  anyone has any better ideas, let me know.

	Use "dnswalk".  With the right options used on the command-line, 
it will check all this stuff for you.

>  3) are there any tools that you would reccomend for regular DNS maintenance?
>  we use webmin for our provisioning dept to maintain it, which works well,
>  but I'm looking for command-line and batch kinda utils to check for various
>  things.

	Again, look at dnswalk.  It's a really good DNS debugging tool. 
I also suggest that you use "doc", which checks some things that 
dnswalk doesn't, and also has the advantage that it does not require 
zone transfer capability (so that it can download a complete copy of 
your zone(s), which it then checks locally).

>  4) we're experiencing a LOT of latency with our HP Openview box and our DNS.
>  They are on the same subnet, in fact, they are in the same rack.  When using
>  gethostbyname(), which HPOV uses, we see latency of upto 2hrs! for a single
>  resolution, which is rendering the whole system useless because HPOV doesn't
>  appear to do multiple lookups.  I'm going to try installing BIND on our HPOV
>  server and see if that helps (make it a caching server only. .. etc) .. but
>  if anyone has any ideas whats going on, please, feel free to share.

	Wherever feasible, I suggest installing application-specific 
caching-only nameservers directly on the machines that will need 
those services.  This way, as you add more machines that do various 
functions (and need DNS resolution), you also add more horsepower to 
perform the DNS resolution that is required.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list