Reverse DNS

Derek D. Martin ddm+gnhlug at pizzashack.org
Thu Aug 15 14:45:49 EDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At some point hitherto, Brenda A. Bell hath spake thusly:
> A dig against my ISP's nameserver for my reverse IP address gives an
> authoritative answer -- makes sense since it does own the address and it
> has the PTR record.  A dig against ns1.zoneedit.com for my domain name
> gives an authoritative answer.  A dig against ns1.zoneeedit for my
> reverse IP simply refers me to the root servers.

I can give you a somewhat simplified explanation of how DNS works,
which might help you.

DNS is a heirarchical database that deals with zones.  Each level in
the heirarchy can, and very often does, have a different authoritative
source for the data that's in it.  For example, the root servers are
delegated the authority over the .com, .net, and .org top-level
domains (as well as some others).  The next level of the heirarchy is
delegated to a person who is responsible for the data in it; i.e.
zoneedit is responsible for the data in zoneedit.com, so the root
servers have a pointer to their nameservers that indicates this.
In turn, if they had another domain within that domain, say,
business.zoneedit.com, zoneedit's servers would have a pointer to the
name server responsible for that zone.  These pointers are often
called "glue" records, as they tie together the authority between
levels of the heirarchy.

Reverse lookups are somewhat of a hack -- they use the "fictional"
zone in-addr.arpa as their base.  When you look up your IP address,
you are actually looking up a hack hostname, in your case
111.195.35.64.in-addr.arpa.  The root servers are authoritative for
in-addr.arpa, and contain pointers to the servers who are
authoritative for the next level down, i.e. 64.in-addr.arpa.  The
people who are authoritative for that domain are the people who have
been assigned that block of IP addresses.  The only way that you can
have control over the reverse lookup of your IP address is to have the
organization who owns the IP delegate reverse lookups of it to you.

Where you're a home user, this is extremely unlikely to happen.  An
alternative is to ask your ISP to change the name associated with that
IP address for you, but this is also unlikely, where you're a home
user.  Businesses can usually get their ISP to one of the two for
them, but some ISPs are unwilling to do it even for businesses,
because delegating authority for individual IP addresses is a messy
hack requiring a lot of extra data, and managing/updating individual
IP addresses is a support headache that some ISPs don't want to bother
with.

> I don't see evidence of any problems occurring because of this setup,
> but I remember reading somewhere that your RR's should be correct in
> order for you to be considered "clean"... at the same time, I can't
> imagine that my scenario is uncommon given the number of people who run
> small home setups like mine.

I've been running with this kind of setup for years, and I have never
had a problem with any service, including those I run myself (e-mail,
web, ssh servers).  It's generally true that a) your IP address must
resolve to a name, b) that name to which it resolves should resolve
back to the IP address, and c) your domain name should resolve to
something (or at least have an MX record associated with it for
e-mail to work properly).

a & b should be all set, so long as your ISP is doing their job.  Only
c is up to you.  :)

HTH

For more reference, I'd highly reccomend the O'Reilly DNS book, as
others have done; but I'd also highly recommend Evi Nemeth's Unix
System Administration Handbook, or the Linux-specific version of that
book.  They don't go into nearly as much detail about DNS as the
O'Reilly book, but teach you everything you need to know about how DNS
works to get going, including providing example zone files and
named.conf files.  If you get USAH, make sure you get the latest
edition (third), so it covers the more recent versions of BIND.  The
Linux Administration Handbook is very recent, having only one edition.

- -- 
Derek Martin               ddm at pizzashack.org    
- ---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9W/bcdjdlQoHP510RAuXzAJ9OyMsGIVahxS9sBVWvLhtHptja+QCfRqUk
X/9guXA3j8v6gl4gUj2fPHE=
=y7+9
-----END PGP SIGNATURE-----

More information about the gnhlug-discuss mailing list