Issue with reverse dns and local caching name server

Mark Andrews marka at isc.org
Wed Jun 10 22:52:46 UTC 2009 

In message <4A2FCB63.8030003 at easysoft.com>, Jason Crummack writes:
> Kirk wrote:
> >> $ dig +trace @127.0.0.1 -x 203.22.30.47
> >>
> >> ; <<>> DiG 9.4.3 <<>> +trace @127.0.0.1 -x 203.22.30.47
> >> ; (1 server found)
> >> ;; global options:  printcmd
> >> .                       517909  IN      NS      G.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      A.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      B.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      K.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      J.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      M.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      H.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      L.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      C.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      I.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      E.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      F.ROOT-SERVERS.NET.
> >> .                       517909  IN      NS      D.ROOT-SERVERS.NET.
> >> ;; Received 492 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
> >>
> >> 203.in-addr.arpa.       86400   IN      NS      TINNIE.ARIN.NET.
> >> 203.in-addr.arpa.       86400   IN      NS      NS-SEC.RIPE.NET.
> >> 203.in-addr.arpa.       86400   IN      NS      NS4.APNIC.NET.
> >> 203.in-addr.arpa.       86400   IN      NS      DNS1.TELSTRA.NET.
> >> 203.in-addr.arpa.       86400   IN      NS      NS1.APNIC.NET.
> >> 203.in-addr.arpa.       86400   IN      NS      NS3.APNIC.NET.
> >> ;; Received 185 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 273 ms
> >>
> >> 30.22.203.in-addr.arpa. 86400   IN      NS      ns.bigtrolley.com.au.
> >> 30.22.203.in-addr.arpa. 86400   IN      NS      ns.opensystems.com.au.
> >> ;; Received 106 bytes from 193.0.0.196#53(NS-SEC.RIPE.NET) in 26 ms

	Nameservers cannot be CNAME's.  Named does not follow CNAME's
	as they cannot be made to work in all configuration so it
	is better make all uses fail than just those that won't
	work.   For CNAME's to work you would have to register both
	the CNAME and the glue address records in the parent and
	have the additional section processing rules follow CNAME's.

	To fix this go to APNIC and register ns01.opensystems.com.au
	and ns02.opensystems.com.au as the nameservers for
	30.22.203.in-addr.arpa.  What is in the parent zone should
	be copies of what is in the child zone.

	Mark

; <<>> DiG 9.3.6-P1 <<>> ns.opensystems.com.au
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;ns.opensystems.com.au.		IN	A

;; ANSWER SECTION:
ns.opensystems.com.au.	38167	IN	CNAME	ns01.opensystems.com.au.
ns01.opensystems.com.au. 38168	IN	A	203.22.30.35

;; AUTHORITY SECTION:
opensystems.com.au.	14150	IN	NS	ns02.opensystems.com.au.
opensystems.com.au.	14150	IN	NS	ns01.opensystems.com.au.

;; ADDITIONAL SECTION:
ns02.opensystems.com.au. 38167	IN	A	203.22.30.26

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 11 08:42:24 2009
;; MSG SIZE  rcvd: 123


; <<>> DiG 9.3.6-P1 <<>> ns.bigtrolley.com.au.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65112
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;ns.bigtrolley.com.au.		IN	A

;; ANSWER SECTION:
ns.bigtrolley.com.au.	38182	IN	CNAME	ns02.opensystems.com.au.
ns02.opensystems.com.au. 38182	IN	A	203.22.30.26

;; AUTHORITY SECTION:
opensystems.com.au.	14165	IN	NS	ns01.opensystems.com.au.
opensystems.com.au.	14165	IN	NS	ns02.opensystems.com.au.

;; ADDITIONAL SECTION:
ns01.opensystems.com.au. 38183	IN	A	203.22.30.35

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 11 08:42:09 2009
;; MSG SIZE  rcvd: 134

> >>
> >> 47.30.22.203.in-addr.arpa. 38400 IN     PTR     mail.opensystems.com.au.
> >> 30.22.203.in-addr.arpa. 38400   IN      NS      ns02.opensystems.com.au.
> >> 30.22.203.in-addr.arpa. 38400   IN      NS      ns01.opensystems.com.au.
> >> ;; Received 150 bytes from 203.22.30.26#53(ns.bigtrolley.com.au) in 
> >> 326 ms
> >>
> >>
> >
> > Not sure I'm correct here, but wondering if this has something to do 
> > with:
> > ns.opensystems.com.au. is aliased to ns01.opensystems.com.au.
> > ns.bigtrolley.com.au. is aliased to ns02.opensystems.com.au.
> >
> >
> >> running bind version 9.4.3
> >>
> >> named.conf
> >> <<<
> >> options {
> >>  directory "/var/named";
> >>  query-source address 192.168.0.15 port 53;
> >
> > Off topic, I thought setting a query-source port is a bad thing with 
> > regards to DNS cache poisoning attacks.
> >
> >>  allow-recursion { any; };
> >>  allow-query { any; };
> >>  allow-query-cache { any; };
> >> };
> >>
> >> logging {
> >>        category lame-servers { null; };
> >> };
> >>
> >> # main root caches
> >> zone "." {
> >>    type hint;
> >>    file "root.cache";
> >> };
> >>  >>>
> >
> >
> Thanks for the heads up on the query-source port kirk will remove it.
> 
> Found out that the name servers that our hosting provider has (the ones 
> that work) use a simpleDNS cluster so guessing maybe they work by not 
> being as strict on name reversing as bind is.
> 
> Jason
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list