[Techtalk] Reverse DNS confusion

Dushyanth Harinath dushy at symonds.net
Wed May 22 11:07:06 EST 2002 

Hi , 

 * On 21'th May 2002 03:28:02 PM <raven at oneeyedcrow.net> wrote :
> Quoth Dushyanth Harinath (Tue, May 21, 2002 at 01:42:02PM +0530):
> > My ISP has assigned me a block if IP's say from the network
> > 192.168.1.0/27. My block of IP's are 192.168.1.32/27 . Now i have setup
> > forward DNS and i have no problem understanding that. But iam stuck with
> > reverse DNS. I have created a reverse zone 1.168.192.in-addr.arpa and
> > gave the PTR records to my hosts in the zone file. Is this ok ?. Can i
> > create a reverse zone for entire 192.168.1.0/27 ?. 
> 
> 	You can configure whatever you want on your server, but you'll
> only be authoritative for the zones that a registrar is pointing at you.
> I can make a DNS server that would answer queries for microsoft.com, set
> it up, and configure my network machines to use it.  They'll use it and
> it will tell them whatever I tell it to about microsoft.com.
> 
> 	However, if Sue across town surfs to microsoft.com, she will be
> directed by her DNS server to the authoritative nameserver for
> microsoft.com, which isn't me.

Ok, So my ISP needs to delegate the zone 192.168.1.32/27 to me. From
what I understand they need to put a NS record in their
1.168.192.in-addr.arpa file pointing 32 to my DNS server.

> 	Likewise, you can set up your DNS server to answer for the
> reverse zone, even if you're not authoritative for it.  But nobody
> except machines using your DNS server will take that information as
> good unless the zone has been properly delegated to you.  From the
> sounds of it, your ISP would have no idea how to swip your block to
> you.  You may just be out of luck, or have to yell at your ISP a lot
> until they do the right thing and set up DNS servers.

> 	Are there any other more clueful ISPs in your area?  No DNS is
> going to break a good number of things and cause you a lot of grief.

Yeah, I know, ISP's are lame here in India, pretty clueless guys and i
think they hire their technical staff from zoos :D. I rememeber asking
my previous ISP technical staff about a problem with dialup and he asks
me to check the TCP/IP settings <chuckles> . I never asked anything again 
and changed my ISP to a less clueless one.

> > Below is named.conf for bind9.1.3.
> > 
> > //named.conf
> > 
> > options {
> >     directory "/var/named";
> >     listen-on { 192.168.1.33; };
> >     allow-recursion {192.168.1.32/27;};
> > };
> 
> 	There are other security options you may want to investigate
> if you're running bind.  Limit zone transfers to your secondary DNS
> servers, run bind as a non-root user, chroot the service, things like
> that.  http://rr.sans.org/DNS/sec_BIND.php is a good place to start, and
> feel free to throw questions out to the list.

Yes, I need to do that still, but until now i have been using that only
for internal use. I may use djbdns , Its very simple to manage. But it
makes snort's portscan plugin go haywire cos it opens many unprivileged 
ports to communicate with other DNS servers. I was suprised to see 2000
portscan alerts just in a few minutes of time.

cheers
dushyanth

P.S: I will find out whether my ISP has DNS servers and ask them to delegate
the zone to me.
-- 
In a world full of people only some want to fly, Isn't that crazy
                                                        - Seal
Dushyanth Harinath
http://www.archeanit.com
http://symonds.net/~dushy

More information about the Techtalk mailing list