reverse DNS servfail

Danny Mayer mayer at gis.net
Thu Jul 21 15:55:44 UTC 2005 

Brett Carr wrote:
> On Thu, 21 Jul 2005, /dev/rob0 wrote:
> 
> 
>>A customer of mine just today got a new ISP. The new IP is
>>69.15.253.106. At this time the reverse lookup is failing:
>>$ host 69.15.253.106
>>Host 106.253.15.69.in-addr.arpa not found: 2(SERVFAIL)
>>$ host -tns 253.15.69.in-addr.arpa
>>Host 253.15.69.in-addr.arpa not found: 2(SERVFAIL)
>>$ host -tns 15.69.in-addr.arpa
>>Host 15.69.in-addr.arpa not found: 2(SERVFAIL)
>>
>>I asked the ISP (cbeyond.net) for RFC 2317, section 5.2, classless rDNS
>>delegation: with CNAMEs pointing to PTR records in our forward zone. (I
>>do have and can query the PTR's corresponding to my CNAME requests.) The
>>customer service people talked to their "DNS engineers" [snicker] who
>>told them to tell me:
>>     "Our DNS Engineers have stated that Cbeyond's DNS service does
>>      not support this form of classless addressing."
>>Before I asked, I tested and got NXDOMAIN on this IP. Now it's SERVFAIL.
>>
>>Before I approach the "DNS engineers" I want to know a bit more.
>>
>>1. Is there a way to tell if they're running BIND?
>>    a. If so, why would it "not support" RFC 2317 classless delegation?
>>    b. If not, can this be true? Maybe in their junkware the in-addr.arpa
>>       zones are hard-coded to only allow PTR records?
> 
> 
> fpdns reports the following for them:
> 
> $ ./fpdns.pl beyond.cbeyond.net.
> fingerprint (beyond.cbeyond.net., 66.180.96.11): TinyDNS 1.05
> 
> $ ./fpdns.pl infinity.cbeyond.net.
> fingerprint (infinity.cbeyond.net., 64.238.96.11): TinyDNS 1.05
> 
> $ ./fpdns.pl to.cbeyond.net.
> fingerprint (to.cbeyond.net., 64.238.96.9): TinyDNS 1.05
> 

fpdns.pl is not uptodate.

Danny

> 
> Well as far as I am aware there is no reason bind or for that matter any
> other popular dns software can't do RFC2317, but I have no experience
> with TinyDNS so over to someone else there.
> Its more likely there policy is they dont delegate beyond a /24 for certain
> levels of service (you get what you pay for) or they don't have experience
> of doing it.
> 
> 
>>2. Is there a way to tell from the outside why they're getting SERVFAIL?
> 
> 
> do a dig +trace 106.253.15.69.in-addr.arpa ptr and it gets itself into a
> rather nasty loop which is I guess whats causing your servfail. Not sure
> why this is happenning but I'm guessing something is mis configured at
> their end.
> 
> 
>>3. Is anyone else familiar with Cbeyond in particular?
>>
> 
> 
> Never heard of em, but hey I'm in Europe :)
> 
> 
>>Oh, I looked up another IP in Cbeyond's block, and it wasn't SERVFAIL.
>>These are the servers:
>>$ host -tns 20.15.69.in-addr.arpa
>>20.15.69.in-addr.arpa name server infinity.cbeyond.net.
>>20.15.69.in-addr.arpa name server to.cbeyond.net.
>>20.15.69.in-addr.arpa name server beyond.cbeyond.net.
>>
>>I don't understand why I can get 20.15.69.in-addr.arpa but I can't get
>>15.69.in-addr.arpa.
> 
> 
> Something looks very misconfigured dig +trace for 15.69.in-addr.arpa loops
> aswell :)
> 
> --
> Brett Carr                              Ripe Network Coordination Centre
> System Engineer -- Operations Group     Singel 258 Amsterdam NL
> http://www.ripe.net
> GPG Key fingerprint = F20D B2A7 C91D E370 44CF  F244 B6A1 EF48 E743 F7D8
> 
> 
> 
>

More information about the bind-users mailing list