Reverse lookup from Internet only worked when using dig +trace option
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Sep 16 22:18:41 UTC 2003
> Hello
>
> A couple of months ago we migrated our DNS servers to a new IP address and
> new version of Bind (9.2.2). Unfortunately we had forgotten to notify Arin
> about changing their reverse delegation records for our class B address
> range. Arin's old records referred to:
>
> 94.158.in-addr.arpa. 86400 IN NS SEVA.MDX.AC.UK.
> 94.158.in-addr.arpa. 86400 IN NS WIZZARD.MDX.AC.UK.
>
> After requesting Arin to update its reverse delegation records and chasing
> them up for three weeks they finally made the change yesterday.
>
> $ dig -x 158.94.254.12 @chia.arin.net
>
> ; <<>> DiG 9.2.2 <<>> -x 158.94.254.12 @chia.arin.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17670
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;12.254.94.158.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 94.158.in-addr.arpa. 86400 IN NS NS1.MDX.AC.UK.
> 94.158.in-addr.arpa. 86400 IN NS NS2.MDX.AC.UK.
>
> ;; Query time: 81 msec
> ;; SERVER: 192.5.6.32#53(chia.arin.net)
> ;; WHEN: Tue Sep 16 13:28:57 2003
> ;; MSG SIZE rcvd: 89
>
> Prior to the Arin updating their reverse delegation records I had created
> CNAME records for the old names of our DNS servers within the mdx.ac.uk
> domain. I had deleted the old address records for seva and wizzard.
>
> seva.mdx.ac.uk. CNAME ns1.mdx.ac.uk.
> wizzard.mdx.ac.uk. CNAME ns2.mdx.ac.uk.
Namservers cannot refer to CNAMEs.
Named does *not* follow CNAMEs when looking up addresses
of namesevers.
> I assumed that even though Arin had updated the reverse delegation records
> at the time the above cname records would enable reverse lookups coming from
> the Internet for hosts in our domain would work. However, whenever I tried
> using host or nslookup or dig (without +trace option) I found I was unable
> to resolve reverse lookups for hosts in our domain using DNS servers on the
> Internet. Reverse lookups worked from within our own network resolved IP
> addresses to the their associated names without any diffculty.
>
> My understanding of the way DNS resolution works is that when a DNS client
> issues a query to a local DNS server the server will recursively submit
> queries on behalf of the client to the DNS servers, unless the an answer is
> already stored in the local DNS server's cache. The local DNS server will
> initially submit a query to root servers for both forward and reverse
> lookups. The root servers will refer the local DNS server to DNS servers
> lower in the hierarchy which store records for the next section of a domain.
> If my understanding of the way DNS queries are resolved is correct then I am
> puzzeled why a reverse lookup of our IP addresses of hosts in our domain
> wouldn't work except if I specified a +trace option to dig. Even though
> Arin updated its records yesterday I was able to find one DNS server which
> demonstrates the error I was receiving.
>
> Example of query without trace option to dig results in no answer
>
> $ dig -x 158.94.254.12 @ns0.ja.net
>
> ; <<>> DiG 9.2.2 <<>> -x 158.94.254.12 @ns0.ja.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52737
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;12.254.94.158.in-addr.arpa. IN PTR
>
> ;; Query time: 4 msec
> ;; SERVER: 128.86.1.20#53(ns0.ja.net)
> ;; WHEN: Tue Sep 16 13:26:13 2003
> ;; MSG SIZE rcvd: 44
>
>
> Whereas issuing the same query with the trace option resolves the reverse
> lookup
>
> $ dig +trace -x 158.94.254.12 @ns0.ja.net
>
> ; <<>> DiG 9.2.2 <<>> +trace -x 158.94.254.12 @ns0.ja.net
> ;; global options: printcmd
> . 262786 IN NS L.ROOT-SERVERS.NET.
> . 262786 IN NS M.ROOT-SERVERS.NET.
> . 262786 IN NS A.ROOT-SERVERS.NET.
> . 262786 IN NS B.ROOT-SERVERS.NET.
> . 262786 IN NS C.ROOT-SERVERS.NET.
> . 262786 IN NS D.ROOT-SERVERS.NET.
> . 262786 IN NS E.ROOT-SERVERS.NET.
> . 262786 IN NS F.ROOT-SERVERS.NET.
> . 262786 IN NS G.ROOT-SERVERS.NET.
> . 262786 IN NS H.ROOT-SERVERS.NET.
> . 262786 IN NS I.ROOT-SERVERS.NET.
> . 262786 IN NS J.ROOT-SERVERS.NET.
> . 262786 IN NS K.ROOT-SERVERS.NET.
> ;; Received 436 bytes from 128.86.1.20#53(ns0.ja.net) in 5 ms
>
> 158.in-addr.arpa. 86400 IN NS CHIA.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS DILL.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS BUCHU.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS EPAZOTE.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS FIGWORT.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS GINSENG.ARIN.NET.
> 158.in-addr.arpa. 86400 IN NS arrowroot.ARIN.NET.
> ;; Received 241 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 141 ms
>
> 94.158.in-addr.arpa. 86400 IN NS NS1.MDX.AC.UK.
> 94.158.in-addr.arpa. 86400 IN NS NS2.MDX.AC.UK.
> ;; Received 89 bytes from 192.5.6.32#53(CHIA.ARIN.NET) in 78 ms
>
> 12.254.94.158.in-addr.arpa. 86400 IN PTR ns1.mdx.ac.uk.
> 94.158.in-addr.arpa. 86400 IN NS ns1.mdx.ac.uk.
> 94.158.in-addr.arpa. 86400 IN NS ns2.mdx.ac.uk.
> ;; Received 135 bytes from 158.94.254.12#53(NS1.MDX.AC.UK) in 3 ms
>
> Another DNS server currently - 16 Sept 2003 1pm GMT - unable to resolve
> reverse lookups for our IP addresses is bitsy.mit.edu I'm sure that as
> Arin reverse delegation records are propagated among DNS servers on the
> Internet that a reverse lookup to any DNS server will report the correct
> answer.
>
> Can someone clarify why reverse lookups using +trace option to dig will
> work, whereas without the option they don't. A DNS server should be querying
> the top level domain servers whether the trace option is or is not
> specified.
>
> thanks
>
> Hoshi
> Middlesex University
> London, UK
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list