From owner-freebsd-questions@FreeBSD.ORG Tue Oct 23 12:24:11 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAAC416A41B for ; Tue, 23 Oct 2007 12:24:11 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from snipe.secure-computing.net (snipe.secure-computing.net [209.240.66.149]) by mx1.freebsd.org (Postfix) with ESMTP id 8E88513C4A5 for ; Tue, 23 Oct 2007 12:24:11 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from [10.0.0.14] (unknown [74.95.66.25]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ecrist@secure-computing.net) by snipe.secure-computing.net (Postfix) with ESMTP id E82901702B; Tue, 23 Oct 2007 07:23:54 -0500 (CDT) In-Reply-To: <471D1B65.6000800@riderway.com> References: <87AE890B-5F57-4F8B-B660-417455F9C453@secure-computing.net> <471D1B65.6000800@riderway.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <5E76A4F8-0C80-412F-BA07-99CFEC08E062@secure-computing.net> Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Tue, 23 Oct 2007 07:23:51 -0500 To: Philip M. Gollucci X-Mailer: Apple Mail (2.752.3) Cc: User Questions Subject: Re: reverse DNS resolution... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Oct 2007 12:24:11 -0000 On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote: > Eric F Crist wrote: >> Hey folks, >> >> We're trying to get reverse DNS resolution for a block of IPs >> (private). We've had the 10.x network working great at the office >> for quite some time now, but I'm having a problem getting the >> 172.30.x network to work. >> >> Typing 'host ' returns a valid result, however output from who, >> as well as other network services (IRC, apache) only see the IP. Is >> there something I'm missing? >> >> Thanks for the pointers! > Well, your DNS needs to be authoritative for both forward and reverse. > If you are trying to do this for less then a /24 block the zone files > get messy quick because of the 8bit boundaries. You seem to be trying > to do this for a /16. I'll bet you're missing the named.conf entries > and related reverse zone files: > > Odds are you'll want to have zones: > > zone "1.30.172.in.addr.arpa" { > type master; > file "master/1.30.172.in.addr.arpa > notify yes; > } > .... > zone "255.30.172.in.addr.arpa" { > ;; or slave config since you'll have more than 1 ns > type slave; > file "slave/255.30.172.in.addr.arpa"; > masters { x.y.z.a; }; > } > > Or some larger splits of that. > > You're going to have give me a netmask for more help. /16 is the netmask, you already figured that one out. ;) As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Maybe there is something missing here: == named.conf == zone "30.172.IN-ADDR.ARPA" { type master; file "master/vpn.rev"; }; == vpn.rev == $TTL 86400 @ IN SOA snowball2.secure-computing.net root.secure- computing.net ( 1 ; Serial 21600 ; Refresh 1200 ; Retry 1209600 ; Expire 3600 ; TTL ) IN NS snowball2.secure-computing.net ; Static vpn ips go here. 21.1 IN PTR user1.vpn. 25.1 IN PTR user2.vpn. 29.1 IN PTR user3.vpn. 33.1 IN PTR user4.vpn. 37.1 IN PTR user5.vpn. 41.1 IN PTR user6.vpn. 45.1 IN PTR user7.vpn. 49.1 IN PTR user8.vpn. 53.1 IN PTR user9.vpn. ; Auto-generate reverse dns for our dynamic block. $ORIGIN 0.30.172.in-addr.arpa. $GENERATE 2-254 $ PTR 172-30-0-$.vpn. For what it's worth, the hosts I'm testing have snowball2 listed as their primary DNS server. Again, host 172.30.1.21 successfully returns user1.vpn, etc. Just output in w and last, as well as certain services such as UnrealIRCd don't resolve these correctly. Thanks for the help folks! ----- Eric F Crist Secure Computing Networks