[Techtalk] Reverse DNS confusion

Raven, corporate courtesan raven at oneeyedcrow.net
Wed May 22 13:00:38 EST 2002


Heya --

Quoth Dushyanth Harinath (Wed, May 22, 2002 at 11:07:06AM +0530):
> Ok, So my ISP needs to delegate the zone 192.168.1.32/27 to me. From
> what I understand they need to put a NS record in their
> 1.168.192.in-addr.arpa file pointing 32 to my DNS server.

	How it generally works for ISPs in North America -- usually they
won't delegate the zone for your reverse DNS to you, since they want to
keep control of their IP blocks.  If you're a mid-size to large business
customer that gets a /26 or so allocated all to you, you might stand a
chance of getting them to delegate to you.  But if you only have one or
two IP addresses, usually the ISP will just update them in their zone
files at your request, to whatever you want them set to.

	If your ISP doesn't have their own DNS server, I don't know how
they would handle this.

	They are unlikely to delegate the whole /27 to you if they have
any clue what they're doing.  They won't want you to be the
authoritative answer for the reverse DNS of their other customers out of
that same /27.  Breaking up that /27 into smaller blocks will be
annoying to manage for them.  If I were your ISP, I'd go for the "set it
to whatever the customer wants, but maintain control of the reverse DNS
for that block" approach.

	So basically, there are two things they can do.  They can set
their nameserver to delegate authority for the zone of your IP space to
your DNS server, or they can set their server to give the responses you
want when it's queried about those IP addresses.  But either way, they
need a DNS server.

	If you want to avoid this whole hassle, you can petition your
local registry to allocate an IP block directly to you.  (APNIC for you,
if you're in India.  http://www.apnic.net/)  Then you own your own IP
block, and you have the authority for the reverse DNS coming directly to
you.  However, there are drawbacks to this approach too.  1) You have to
pay APNIC for the use of those IPs.  2) You have to go through their
procedure to demonstrate a need for those IPs.  3) You have to convince
your local ISP to route that IP block for you.

	Often, registries won't want to allocate a block to you unless
you're multihomed (connected to more than one ISP, and speaking BGP to
both).  Doesn't sound like that's the case for you, but I thought I
would mention it for completeness's sake.
 
> Yeah, I know, ISP's are lame here in India, pretty clueless guys and i
> think they hire their technical staff from zoos :D. 

	Well, hey, on the plus side there's got to be a job market for
good techs there.  [grin]

> Yes, I need to do that still, but until now i have been using that only
> for internal use. I may use djbdns , Its very simple to manage. But it
> makes snort's portscan plugin go haywire cos it opens many unprivileged 
> ports to communicate with other DNS servers. I was suprised to see 2000
> portscan alerts just in a few minutes of time.

	The other thing that's strange about djbdns is if you need it to
interoperate with BIND in any way.  I ran a setup for a while where we
had a djbdns secondary slaved to a BIND primary -- it took some tweaking
to get that working properly.  DJB seems to assume that his users know
how to script around any difficulty that they may encounter getting the
services to run as they'd like.  If you do everything the djb way
(svscan, his tcp toolkit, etc.) it will work, but trying to make it work
any other way than exactly how he thinks it should be run is...
challenging at times.

	I keep meaning to write up some tech docs on Bind/djbdns
translation and compatibility.  In my Copious Spare Time.

Cheers,
Raven
 
"The Eye is mean. The Eye is red.
 He rules nine Riders. They are dead."
  -- Gandalf, from "Green Eggs and Lembas", 
     http://www.tolkienonline.com/docs/4511.html



More information about the Techtalk mailing list