[Techtalk] Reverse DNS confusion

Raven, corporate courtesan raven at oneeyedcrow.net
Tue May 21 15:28:02 EST 2002 

Heya --

Quoth Dushyanth Harinath (Tue, May 21, 2002 at 01:42:02PM +0530):
> My ISP has assigned me a block if IP's say from the network
> 192.168.1.0/27. My block of IP's are 192.168.1.32/27 . Now i have setup
> forward DNS and i have no problem understanding that. But iam stuck with
> reverse DNS. I have created a reverse zone 1.168.192.in-addr.arpa and
> gave the PTR records to my hosts in the zone file. Is this ok ?. Can i
> create a reverse zone for entire 192.168.1.0/27 ?. 

	You can configure whatever you want on your server, but you'll
only be authoritative for the zones that a registrar is pointing at you.
I can make a DNS server that would answer queries for microsoft.com, set
it up, and configure my network machines to use it.  They'll use it and
it will tell them whatever I tell it to about microsoft.com.

	However, if Sue across town surfs to microsoft.com, she will be
directed by her DNS server to the authoritative nameserver for
microsoft.com, which isn't me.

	Likewise, you can set up your DNS server to answer for the
reverse zone, even if you're not authoritative for it.  But nobody
except machines using your DNS server will take that information as
good unless the zone has been properly delegated to you.  From the
sounds of it, your ISP would have no idea how to swip your block to
you.  You may just be out of luck, or have to yell at your ISP a lot
until they do the right thing and set up DNS servers.

	Are there any other more clueful ISPs in your area?  No DNS is
going to break a good number of things and cause you a lot of grief.
 
> Below is named.conf for bind9.1.3.
> 
> //named.conf
> 
> options {
>     directory "/var/named";
>     listen-on { 192.168.1.33; };
>     allow-recursion {192.168.1.32/27;};
> };

	There are other security options you may want to investigate
if you're running bind.  Limit zone transfers to your secondary DNS
servers, run bind as a non-root user, chroot the service, things like
that.  http://rr.sans.org/DNS/sec_BIND.php is a good place to start, and
feel free to throw questions out to the list.

Cheers,
Raven
 
"The Eye is mean. The Eye is red.
 He rules nine Riders. They are dead."
  -- Gandalf, from "Green Eggs and Lembas", 
     http://www.tolkienonline.com/docs/4511.html

More information about the Techtalk mailing list