Issue with reverse dns and local caching name server
Mark Andrews
marka at isc.org
Wed Jun 10 22:52:46 UTC 2009
In message <4A2FCB63.8030003 at easysoft.com>, Jason Crummack writes:
> Kirk wrote:
> >> $ dig +trace @127.0.0.1 -x 203.22.30.47
> >>
> >> ; <<>> DiG 9.4.3 <<>> +trace @127.0.0.1 -x 203.22.30.47
> >> ; (1 server found)
> >> ;; global options: printcmd
> >> . 517909 IN NS G.ROOT-SERVERS.NET.
> >> . 517909 IN NS A.ROOT-SERVERS.NET.
> >> . 517909 IN NS B.ROOT-SERVERS.NET.
> >> . 517909 IN NS K.ROOT-SERVERS.NET.
> >> . 517909 IN NS J.ROOT-SERVERS.NET.
> >> . 517909 IN NS M.ROOT-SERVERS.NET.
> >> . 517909 IN NS H.ROOT-SERVERS.NET.
> >> . 517909 IN NS L.ROOT-SERVERS.NET.
> >> . 517909 IN NS C.ROOT-SERVERS.NET.
> >> . 517909 IN NS I.ROOT-SERVERS.NET.
> >> . 517909 IN NS E.ROOT-SERVERS.NET.
> >> . 517909 IN NS F.ROOT-SERVERS.NET.
> >> . 517909 IN NS D.ROOT-SERVERS.NET.
> >> ;; Received 492 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
> >>
> >> 203.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET.
> >> 203.in-addr.arpa. 86400 IN NS NS-SEC.RIPE.NET.
> >> 203.in-addr.arpa. 86400 IN NS NS4.APNIC.NET.
> >> 203.in-addr.arpa. 86400 IN NS DNS1.TELSTRA.NET.
> >> 203.in-addr.arpa. 86400 IN NS NS1.APNIC.NET.
> >> 203.in-addr.arpa. 86400 IN NS NS3.APNIC.NET.
> >> ;; Received 185 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 273 ms
> >>
> >> 30.22.203.in-addr.arpa. 86400 IN NS ns.bigtrolley.com.au.
> >> 30.22.203.in-addr.arpa. 86400 IN NS ns.opensystems.com.au.
> >> ;; Received 106 bytes from 193.0.0.196#53(NS-SEC.RIPE.NET) in 26 ms
Nameservers cannot be CNAME's. Named does not follow CNAME's
as they cannot be made to work in all configuration so it
is better make all uses fail than just those that won't
work. For CNAME's to work you would have to register both
the CNAME and the glue address records in the parent and
have the additional section processing rules follow CNAME's.
To fix this go to APNIC and register ns01.opensystems.com.au
and ns02.opensystems.com.au as the nameservers for
30.22.203.in-addr.arpa. What is in the parent zone should
be copies of what is in the child zone.
Mark
; <<>> DiG 9.3.6-P1 <<>> ns.opensystems.com.au
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns.opensystems.com.au. IN A
;; ANSWER SECTION:
ns.opensystems.com.au. 38167 IN CNAME ns01.opensystems.com.au.
ns01.opensystems.com.au. 38168 IN A 203.22.30.35
;; AUTHORITY SECTION:
opensystems.com.au. 14150 IN NS ns02.opensystems.com.au.
opensystems.com.au. 14150 IN NS ns01.opensystems.com.au.
;; ADDITIONAL SECTION:
ns02.opensystems.com.au. 38167 IN A 203.22.30.26
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 11 08:42:24 2009
;; MSG SIZE rcvd: 123
; <<>> DiG 9.3.6-P1 <<>> ns.bigtrolley.com.au.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65112
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns.bigtrolley.com.au. IN A
;; ANSWER SECTION:
ns.bigtrolley.com.au. 38182 IN CNAME ns02.opensystems.com.au.
ns02.opensystems.com.au. 38182 IN A 203.22.30.26
;; AUTHORITY SECTION:
opensystems.com.au. 14165 IN NS ns01.opensystems.com.au.
opensystems.com.au. 14165 IN NS ns02.opensystems.com.au.
;; ADDITIONAL SECTION:
ns01.opensystems.com.au. 38183 IN A 203.22.30.35
;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 11 08:42:09 2009
;; MSG SIZE rcvd: 134
> >>
> >> 47.30.22.203.in-addr.arpa. 38400 IN PTR mail.opensystems.com.au.
> >> 30.22.203.in-addr.arpa. 38400 IN NS ns02.opensystems.com.au.
> >> 30.22.203.in-addr.arpa. 38400 IN NS ns01.opensystems.com.au.
> >> ;; Received 150 bytes from 203.22.30.26#53(ns.bigtrolley.com.au) in
> >> 326 ms
> >>
> >>
> >
> > Not sure I'm correct here, but wondering if this has something to do
> > with:
> > ns.opensystems.com.au. is aliased to ns01.opensystems.com.au.
> > ns.bigtrolley.com.au. is aliased to ns02.opensystems.com.au.
> >
> >
> >> running bind version 9.4.3
> >>
> >> named.conf
> >> <<<
> >> options {
> >> directory "/var/named";
> >> query-source address 192.168.0.15 port 53;
> >
> > Off topic, I thought setting a query-source port is a bad thing with
> > regards to DNS cache poisoning attacks.
> >
> >> allow-recursion { any; };
> >> allow-query { any; };
> >> allow-query-cache { any; };
> >> };
> >>
> >> logging {
> >> category lame-servers { null; };
> >> };
> >>
> >> # main root caches
> >> zone "." {
> >> type hint;
> >> file "root.cache";
> >> };
> >> >>>
> >
> >
> Thanks for the heads up on the query-source port kirk will remove it.
>
> Found out that the name servers that our hosting provider has (the ones
> that work) use a simpleDNS cluster so guessing maybe they work by not
> being as strict on name reversing as bind is.
>
> Jason
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list