More specific reverse DNS?

Marc Haber mh+bind-users at zugschlus.de
Thu Oct 2 09:13:26 UTC 2008 

On Thu, Oct 02, 2008 at 05:09:39PM +1000, Mark Andrews wrote:
> In message <20081001152543.GI12846 at torres.zugschlus.de>, Marc Haber writes:
> > I also have a forward zone statements for the IP ranges that my company
> > uses in its internal network, forwarding to the actual name servers:
> > 
> > zone "2.1.10.in-addr.arpa" {
> >         type forward;
> >         forwarders { 10.1.2.11; 10.1.2.15; };
> >         forward only;
> > };
> 
> 	There seems to this wish to use forwarders when they really
> 	are not necessary.
> 
> 	Use a stub zone to graft on namespace.
> 	zone "2.1.10.in-addr.arpa" {
> 		type stub;
> 		masters { 10.1.2.11; 10.1.2.15; };
> 		file "stub/2.1.10.in-addr.arpa";
> 		forwarders { /* empty */ };
> 	};

That looks good. My local bind sends out a NS query over TCP (which
might cause grief with the average firewall admin - fortunately the
firewall at the site in question is under my control and properly
configured) and does the right thing from there on.

Finally, my first real use for a stub zone ;)

> 	Use a slave zone to graft on namespace.  Presuming your company
> 	has 10.in-addr.arpa configured use a slave or stub zone.

And presuming that the DNS admin allows zone transfers from the client
IP range.

> 	zone "10.in-addr.arpa" {
> 		type slave;
> 		masters { 10.1.2.11; 10.1.2.15; };
> 		file "slave/10.in-addr.arpa";
> 		forwarders { /* empty */ };
> 	};

The DNS at the site in question is managed by an average
Microsoft-trained admin, so $ dig @10.1.2.11 10.in-addr.arpa soa
returns what's expected at such a site: SOA     prisoner.iana.org.
hostmaster.root-servers.org. 2002040800 1800 900 604800 604800

*shrug*

> > Do I really need to locally delegate all internal networks from the
> > 10.in-addr.arpa zone in addition to the forward statements in my
> > named.conf, or is there a way to have bind query the more specific
> > loaded zones automatically?
> 
> 	Delegation is normal.

Delegating 10.in-addr.arpa sans 2.1.10.in-addr.arpa would mean > 500
explicit delegations. I'd happily use a less-clean approach on my
personal box to save myself from generating a local zone this huge.

>   Forwarding is NOT normal.

For productive environments which users rely on, agreed.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the bind-users mailing list