Classless PTR query issue
Michael Varre
mvarre at gmail.com
Tue May 7 18:06:03 UTC 2013
On Tuesday, May 7, 2013 12:04:10 PM UTC-4, Justin T Pryzby wrote:
> I recommend "dig +trace -x" on one of your assigned IPs. Compare with
>
> the result from a known-good sub-24 rev dns delegation. The ISP
>
> should be returning something like:
>
>
>
> 162.48.168.205.in-addr.arpa. 43200 IN CNAME 162.160-175.48.168.205.in-addr.arpa.
>
> 160-175.48.168.205.in-addr.arpa. 43200 IN NS ns.norchemlab.com.
>
> 160-175.48.168.205.in-addr.arpa. 43200 IN NS ns1.norchemlab.com.
>
>
>
> and your NS should respond for the 160-175 zone. The particular
>
> naming convention doesn't matter, but has to be consistent between you
>
> and your ISP. The filename of the zone doesn't need to match the zone
>
> name, although that seems to be a popular misconception.. Slashes (as
>
> in 160/28.48.168.205.in-addr.arpa) are mildly inconvenient convention
>
> since, if the filename and zone DO match, they imply use of a
>
> subdirectory.
>
>
>
> Good luck,
>
> Justin
>
>
>
> On Tue, May 07, 2013 at 08:45:49AM -0700, Michael Varre wrote:
>
> > On Tuesday, May 7, 2013 11:34:07 AM UTC-4, Barry Margolin wrote:
>
> > > In article <mailman.240.1367938655.20661.bind-users at lists.isc.org>,
>
> > >
>
> > > Michael Varre <mvarre at gmail.com> wrote:
>
> > >
>
> > >
>
> > >
>
> > > > I'm setting up a new zone, similar to the many I've created successfully on
>
> > >
>
> > > > other ISPs to answer with PTR records for a /26 the ISP has sub-delegated to
>
> > >
>
> > > > my dns servers and it continues to fail:
>
> > >
>
> > > >
>
> > >
>
> > > > May 7 08:18:31 dns1 named[25328]: client 1.1.1.1#62125: view external: query
>
> > >
>
> > > > (cache) '90.1.1.1.in-addr.arpa/PTR/IN' denied
>
> > >
>
> > > >
>
> > >
>
> > > > My named.conf is setup as
>
> > >
>
> > > > zone "64-26.1.1.1.in-addr.arpa" {
>
> > >
>
> > > > type master;
>
> > >
>
> > > > file "/var/named/64-26.1.1.1.in-addr.arpa.db";
>
> > >
>
> > > > };
>
> > >
>
> > > >
>
> > >
>
> > > > zone record is:
>
> > >
>
> > > > $TTL 14400
>
> > >
>
> > > > 64-26.1.1.1.in-addr.arpa. 86400 IN SOA dns1.myns.com.
>
> > >
>
> > > > me.my.com. (
>
> > >
>
> > > > 2013050702 ;Serial Number
>
> > >
>
> > > > 86400 ;refresh
>
> > >
>
> > > > 7200 ;retry
>
> > >
>
> > > > 1209600 ;expire
>
> > >
>
> > > > 86400 ;minimum
>
> > >
>
> > > > )
>
> > >
>
> > > > 64-26.1.1.1.in-addr.arpa. 86400 IN NS dns1.myns.com.
>
> > >
>
> > > > 64-26.1.1.1.in-addr.arpa. 86400 IN NS dns2.myns.com.
>
> > >
>
> > > > 90 14400 IN PTR apple.somedomain.com.
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > Mind you this is a cpanel server and this is the first time I've tried
>
> > >
>
> > > > setting up reverse dns to be setup by a cpanel server, but I'm not sure this
>
> > >
>
> > > > is relevant. It creates two views, internal and external. This is getting
>
> > >
>
> > > > serviced out of the external view, which really is just setup to answer any
>
> > >
>
> > > > question for which it has an answer. So i _really_ don't think it's relevant
>
> > >
>
> > > > but for the sake of troubleshooting I thought I might disclose that.
>
> > >
>
> > > >
>
> > >
>
> > > > Anyone have any ideas? Thanks in advance.
>
> > >
>
> > >
>
> > >
>
> > > If you're getting queries for 90.1.1.1.in-addr.arpa from outside
>
> > >
>
> > > clients, it means that the ISP has not set up the proper classless
>
> > >
>
> > > reverse delegation. They're delegating 1.1.1.in-addr.arpa to you instead
>
> > >
>
> > > of 64-26.1.1.1.in-addr.arpa.
>
> > >
>
> > >
>
> > >
>
> > > But the client IP appears to be one of your own addresses. They should
>
> > >
>
> > > be pointing to your caching server, not the authoritative server. It
>
> > >
>
> > > should then follow the ISP's delegation. If you're using the same
>
> > >
>
> > > server for auth and caching, you need to put the local IPs in the
>
> > >
>
> > > allow-query ACL.
>
> > >
>
> > >
>
> > >
>
> > > --
>
> > >
>
> > > Barry Margolin
>
> > >
>
> > > Arlington, MA
>
> >
>
> > Thanks for the response Barry. First, I have a hunch they don't know how to delegate classlessly. They seemed very confused at first.
>
> >
>
> > Why would you think that queries for 90.1.1.1.in-addr.arpa from outside would point to it being setup wrong by the ISP? .90 is one of my assigned IP's withing my /26. My GW IP address is .65. Maybe that is where I've gone wrong?
>
> >
>
> > I think my example may have confused things a bit. The 1.1.1.1 was just a random number (one of the downfalls of obfuscating IP's on a mailing list). consider that really 9.9.9.9, and that it is NOT one of my IP's - just a client on the internet.
>
> >
>
> > _______________________________________________
>
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> >
>
> > bind-users mailing list
>
> > bind-users at lists.isc.org
>
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> >
So interestingly they did give me their setup and this is their response, and my warm and fuzzy feeling continues to go out the window:
They use SimpleDNS
Record Name: 65.246.59.108.in-addr.arpa
DNS Server (FQDN): dns1.kishmish.com.
TTL: 1 Hour
I'd imagine this is wrong since 65 is my starting IP rather than my network IP, which is 64.
More information about the bind-users
mailing list