Internal DNS Inverse Configuration

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 4 20:40:27 UTC 2005 

The normal problem is that the 10.in-addr.arpa namespace is not defined 
at all, and forwarding to the Internet is enabled. So, if someone does a 
reverse lookup of a 10.*.*.* address, it gets forwarded out to the 
Internet, and since the 10.in-addr.arpa servers on the Internet don't 
respond quickly, the queries time out.

By defining 10.in-addr.arpa internally, one is able to prevent those 
queries being forwarded to the Internet, and this _usually_ fixes the 
timeout problem.

If you have the 10.in-addr.arpa namespace defined, then maybe we're 
looking at a different problem than the usual one. Do you have the 
10.in-addr.arpa zone *itself* defined, or do you define zones at a lower 
level? If you don't have 10.in-addr.arpa itself defined as an 
authoritative zone, then any 10.*.*.* reverse queries outside the 
subzones you've explicitly defined will still be subject to the 
forwarding problem described above. For that matter, if you have 
delegated subzones of 10.in-addr.arpa and global forwarding in effect, 
then you should define "forwarders { };" to prevent queries in those 
subzones being forwarded by nameservers that don't happen to be 
authoritative for them.

- Kevin

Nick Allum wrote:

>Yes The 10 address space is defined however there are a number of
>workstations etc... In that space and we do not define inverse entries
>for them. And I understand there is a way for the DNS Server to respond
>more quickly on addresses not specifically defined (respond with a
>fail).
>
>Thanks again for the help
>
>-----Original Message-----
>From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
>Behalf Of Kevin Darcy
>Sent: Friday, March 04, 2005 2:59 PM
>To: comp-protocols-dns-bind at isc.org
>Subject: Re: Internal DNS Inverse Configuration
>
>
>Nick Allum wrote:
>
>  
>
>>I have an internal Solaris Bind 8 Server and we are looking to improve=20
>>performance with regards to inverse entries. We have an internal 10=20
>>network and have inverse entries for some of our devices. The problem=20
>>is when we do an inverse lookup on a 10 address that is not in dns it=20
>>takes a bit of time to come back with a failed response. I understand=20
>>that there is a way so if the inverse entry is not there for one of our
>>    
>>
>
>  
>
>>10 addresses we can get the dns server to quickly respond. Does anyone=20
>>know what the configuration is.
>>
>>    
>>
>It's "reverse", not "inverse".
>
>Simple answer: define the 10.in-addr.arpa namespace in your internal=20
>DNS. I'm somewhat surprised that you haven't already done this. Haven't=20
>you actually *wanted* those 10.*.*.* addresses to reverse-resolve to=20
>meaningful names?
>
>=20
>
>                     - Kevin
>
>
>
>
>
>
>
>  
>

More information about the bind-users mailing list