Date: Tue, 23 Oct 2007 09:48:58 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Eric F Crist <ecrist@secure-computing.net>, "Philip M. Gollucci" <pgollucci@riderway.com> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: reverse DNS resolution... Message-ID: <6.0.0.22.2.20071023094556.02477bc0@mail.computinginnovations.com> In-Reply-To: <5E76A4F8-0C80-412F-BA07-99CFEC08E062@secure-computing.net> References: <87AE890B-5F57-4F8B-B660-417455F9C453@secure-computing.net> <471D1B65.6000800@riderway.com> <5E76A4F8-0C80-412F-BA07-99CFEC08E062@secure-computing.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:23 AM 10/23/2007, Eric F Crist wrote:
>On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote:
>
>>Eric F Crist wrote:
>>>Hey folks,
>>>
>>>We're trying to get reverse DNS resolution for a block of IPs
>>>(private). We've had the 10.x network working great at the office
>>>for quite some time now, but I'm having a problem getting the
>>>172.30.x network to work.
>>>
>>>Typing 'host <ip>' returns a valid result, however output from who,
>>>as well as other network services (IRC, apache) only see the IP. Is
>>>there something I'm missing?
>>>
>>>Thanks for the pointers!
>>Well, your DNS needs to be authoritative for both forward and reverse.
>>If you are trying to do this for less then a /24 block the zone files
>>get messy quick because of the 8bit boundaries. You seem to be trying
>>to do this for a /16. I'll bet you're missing the named.conf entries
>>and related reverse zone files:
>>
>>Odds are you'll want to have zones:
>>
>>zone "1.30.172.in.addr.arpa" {
>> type master;
>> file "master/1.30.172.in.addr.arpa
>> notify yes;
>>}
>>....
>>zone "255.30.172.in.addr.arpa" {
>> ;; or slave config since you'll have more than 1 ns
>> type slave;
>> file "slave/255.30.172.in.addr.arpa";
>> masters { x.y.z.a; };
>>}
>>
>>Or some larger splits of that.
>>
>>You're going to have give me a netmask for more help.
>
>/16 is the netmask, you already figured that one out. ;)
>
>As I already stated, if I do a host 172.30.x.x, I get a the correct
>reverse resolution. dig works as well. What isn't working is the
>reverse resolution in certain command outputs, etc. Maybe there is
>something missing here:
>
>== named.conf ==
>zone "30.172.IN-ADDR.ARPA" {
> type master;
> file "master/vpn.rev";
>};
>
>== vpn.rev ==
>
>$TTL 86400
>@ IN SOA snowball2.secure-computing.net root.secure- computing.net (
> 1 ; Serial
> 21600 ; Refresh
> 1200 ; Retry
> 1209600 ; Expire
> 3600 ; TTL
>)
> IN NS snowball2.secure-computing.net
>
>; Static vpn ips go here.
>21.1 IN PTR user1.vpn.
>25.1 IN PTR user2.vpn.
>29.1 IN PTR user3.vpn.
>33.1 IN PTR user4.vpn.
>37.1 IN PTR user5.vpn.
>41.1 IN PTR user6.vpn.
>45.1 IN PTR user7.vpn.
>49.1 IN PTR user8.vpn.
>53.1 IN PTR user9.vpn.
>
>; Auto-generate reverse dns for our dynamic block.
>$ORIGIN 0.30.172.in-addr.arpa.
>$GENERATE 2-254 $ PTR 172-30-0-$.vpn.
>
>
>For what it's worth, the hosts I'm testing have snowball2 listed as
>their primary DNS server. Again, host 172.30.1.21 successfully
>returns user1.vpn, etc. Just output in w and last, as well as
>certain services such as UnrealIRCd don't resolve these correctly.
>
>Thanks for the help folks!
>-----
>Eric F Crist
>Secure Computing Networks
>
You may need to check your /etc/nsswitch.conf on snowball, and any other
DNS servers. Also be sure you are using the same DNS lookup order for the
clients.
I didn't see snowball's PTR record, so I assume it is correct and all
servers find it correctly as the primary DNS.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20071023094556.02477bc0>