address resolution & reverse
Jim Pazarena
bind at ccstores.com
Wed Apr 18 20:37:15 UTC 2001
May thnaks for your response.. I almost gave up.
After more careful scrutiny, I see that the exact IPs people are trying
to reverse resolve are IPs to which I have do not have direct control over.
Specifically.
I control the range 209.53.238/24 and it reverse maps fine.
My web server is remotely located at 64.69.87.111
I've got the forward reference setup in *my* DNS of
www.qcislands.net IN A 64.69.87.111 since I control "qcislands.net"
and the agency hosting my machine has the reverse IP setup in their DNS
since the actual IP addresses are theirs.
Why would *any* server be hitting *my* DNS server for reverse mapping
of 64.69.87.111 ?
I don't have a zone setup for "111.87.69.64.in-addr.arpa" in *my* DNS
because it's not my range.
I've got remote querying of REMOTE IPs denied in my named.conf.
How can I permit remote queries to this specific IP while denying
remote queries of remote IPs in general?
>Subject: Re: address resolution & reverse
>Date: Wed, 18 Apr 2001 15:39:08 -0400
>From: Kevin Darcy <kcd at daimlerchrysler.com>
>When a client does a "reverse" lookup, i.e. when it wants to map an address
>back to a name, it takes the address, reverses the octets, and appends
>in-addr.arpa to it. So, a reverse lookup of 209.53.238.1 actually comes to the
>nameserver as a query of 1.238.53.209.in-addr.arpa. You need to permit queries
>of the 238.53.209.in-addr.arpa or 53.209.in-addr.arpa zone (depending on how
>the reverse address space is delegated) in order to answer those queries.
>You said that querying 209.53.238.1 works. But the important question is: from
>*where* did it work? If you queried it from a client that was in your
>allow-query ACL, then obviously it worked. But apparently it's being denied
>for other clients. If this turns out to be some sort of ACL problem, then
>please post your named.conf, otherwise it'll just be guesswork trying to
>figure out the problem.
>- Kevin
>Jim Pazarena wrote:
>> I have seen "client XX.XX.XX.XX#XXXX: query denied" in my logs, and decided
>> to investigate it, so I turned on query logging.
>>
>> I find that my DNS is denying queries like: 1.238.53.209.in-addr.arpa
>>
>> where if you query: ciu.qcislands.net, it works
>> and if you query: 209.53.238.1, it also works
>>
>> Is there something I have to do to enable queries of the in-addr.arpa type?
>> --
--
Jim Pazarena mailto:paz at ccstores.com
More information about the bind-users
mailing list