Reverse DNS

Matthew J. Brodeur mbrodeur at NextTime.com
Thu Aug 15 13:18:48 EDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 15 Aug 2002, Brenda A. Bell wrote:

> Can someone point me to a good resource for getting a better
> understanding of reverse DNS and the role it plays in the big picture?

   If you really care enough to spend the money and time, resources for 
this subject don't get much better than "DNS & BIND" from O'Reilly.  For 
simpler, and free, information you might try the DNS HOWTO at TLDP:
http://www.nexttime.com/LDP/HOWTO/DNS-HOWTO.html

   That was my introduction to DNS hosting several years ago.  I don't 
know how well it's been kept up, but it should be helpful.


> A dig against my ISP's nameserver for my reverse IP address gives an
> authoritative answer -- makes sense since it does own the address and it
> has the PTR record. A dig against ns1.zoneedit.com for my domain name 
> gives an authoritative answer.

    These make sense. 

> A dig against ns1.zoneeedit for my reverse IP simply refers me to the 
> root servers.

   Again, this is what should happen.  The forward and reverse DNS trees 
are effectively completely separate.  Even though ZoneEdit can tie your 
host names to an IP address, they know nothing about mapping IP addresses 
they don't own back to the right names.


> I don't see evidence of any problems occurring because of this setup,
> but I remember reading somewhere that your RR's should be correct in
> order for you to be considered "clean"... at the same time, I can't
> imagine that my scenario is uncommon given the number of people who run
> small home setups like mine.

   You may never see a problem, but if you do you'll find it quite 
annoying.  RDNS checks are often used as psudeo-security features.  Just 
about anyone can point a host name at an arbitrary IP address, but only 
the owner of that IP (or a delagated authority) can set the reverse name.  
FTP and mail have been commonly known to perform DNS safety checks before 
allowing connections, so you might see a problem there.
   In most cases, though, as long as there exists a matched 
forward/reverse for your IP you'll be fine.  IOW, as long as 
 64.35.195.111 = 111-195-35-64.mcttelecom.com
	AND
 111-195-35-64.mcttelecom.com = 64.35.195.111
  ...most things will work.


- -- 
     -Matt

gurmlish, n.:
	The red warning flag at the top of a club sandwich which
	prevents the person from biting into it and puncturing the roof
	of his mouth.
		-- Rich Hall, "Sniglets"




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9W+KAc8/WFSz+GKMRAoT3AKCnB+RwQXC+lyCw1DnWsaIYJgMgRACeLdaT
5QBTXP0jGxR2BtZx3ExrXOM=
=TCh4
-----END PGP SIGNATURE-----

More information about the gnhlug-discuss mailing list