Reverse DNS
Matthew J. Brodeur
mbrodeur at NextTime.com
Thu Aug 15 13:18:48 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 15 Aug 2002, Brenda A. Bell wrote:
> Can someone point me to a good resource for getting a better
> understanding of reverse DNS and the role it plays in the big picture?
If you really care enough to spend the money and time, resources for
this subject don't get much better than "DNS & BIND" from O'Reilly. For
simpler, and free, information you might try the DNS HOWTO at TLDP:
http://www.nexttime.com/LDP/HOWTO/DNS-HOWTO.html
That was my introduction to DNS hosting several years ago. I don't
know how well it's been kept up, but it should be helpful.
> A dig against my ISP's nameserver for my reverse IP address gives an
> authoritative answer -- makes sense since it does own the address and it
> has the PTR record. A dig against ns1.zoneedit.com for my domain name
> gives an authoritative answer.
These make sense.
> A dig against ns1.zoneeedit for my reverse IP simply refers me to the
> root servers.
Again, this is what should happen. The forward and reverse DNS trees
are effectively completely separate. Even though ZoneEdit can tie your
host names to an IP address, they know nothing about mapping IP addresses
they don't own back to the right names.
> I don't see evidence of any problems occurring because of this setup,
> but I remember reading somewhere that your RR's should be correct in
> order for you to be considered "clean"... at the same time, I can't
> imagine that my scenario is uncommon given the number of people who run
> small home setups like mine.
You may never see a problem, but if you do you'll find it quite
annoying. RDNS checks are often used as psudeo-security features. Just
about anyone can point a host name at an arbitrary IP address, but only
the owner of that IP (or a delagated authority) can set the reverse name.
FTP and mail have been commonly known to perform DNS safety checks before
allowing connections, so you might see a problem there.
In most cases, though, as long as there exists a matched
forward/reverse for your IP you'll be fine. IOW, as long as
64.35.195.111 = 111-195-35-64.mcttelecom.com
AND
111-195-35-64.mcttelecom.com = 64.35.195.111
...most things will work.
- --
-Matt
gurmlish, n.:
The red warning flag at the top of a club sandwich which
prevents the person from biting into it and puncturing the roof
of his mouth.
-- Rich Hall, "Sniglets"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9W+KAc8/WFSz+GKMRAoT3AKCnB+RwQXC+lyCw1DnWsaIYJgMgRACeLdaT
5QBTXP0jGxR2BtZx3ExrXOM=
=TCh4
-----END PGP SIGNATURE-----
More information about the gnhlug-discuss
mailing list