[Techtalk] Reverse DNS confusion

Dushyanth Harinath dushy at symonds.net
Fri May 24 10:52:18 EST 2002


Hi , 

 * On 22'th May 2002 01:00:38 PM <raven at oneeyedcrow.net> wrote :
> Heya --
> 
> Quoth Dushyanth Harinath (Wed, May 22, 2002 at 11:07:06AM +0530):
> > Ok, So my ISP needs to delegate the zone 192.168.1.32/27 to me. From
> > what I understand they need to put a NS record in their
> > 1.168.192.in-addr.arpa file pointing 32 to my DNS server.
> 
[...]
 
> 	So basically, there are two things they can do.  They can set
> their nameserver to delegate authority for the zone of your IP space to
> your DNS server, or they can set their server to give the responses you
> want when it's queried about those IP addresses.  But either way, they
> need a DNS server.

Ok, My ISP is in the process of setting up their DNS. So i guess i would
have to wait for sometime.

> 	If you want to avoid this whole hassle, you can petition your
> local registry to allocate an IP block directly to you.  (APNIC for you,
> if you're in India.  http://www.apnic.net/)  Then you own your own IP
> block, and you have the authority for the reverse DNS coming directly to
> you.  However, there are drawbacks to this approach too.  1) You have to
> pay APNIC for the use of those IPs.  2) You have to go through their
> procedure to demonstrate a need for those IPs.  3) You have to convince
> your local ISP to route that IP block for you.

This is a long shot and we dont need that many IP's too. We have 6 IP's and 
thats enough for us. And the best way is to ask my ISP to put the reverse
records in their DNS .

[...]  
> > Yeah, I know, ISP's are lame here in India, pretty clueless guys and i
> > think they hire their technical staff from zoos :D. 
> 
> 	Well, hey, on the plus side there's got to be a job market for
> good techs there.  [grin]

Should be , but not good, The management are more clueless then the less
clueless tech guys in some situations :)

> > Yes, I need to do that still, but until now i have been using that only
> > for internal use. I may use djbdns , Its very simple to manage. But it
> > makes snort's portscan plugin go haywire cos it opens many unprivileged 
> > ports to communicate with other DNS servers. I was suprised to see 2000
> > portscan alerts just in a few minutes of time.
> 
> 	The other thing that's strange about djbdns is if you need it to
> interoperate with BIND in any way.  I ran a setup for a while where we
> had a djbdns secondary slaved to a BIND primary -- it took some tweaking
> to get that working properly.  DJB seems to assume that his users know
> how to script around any difficulty that they may encounter getting the
> services to run as they'd like.  If you do everything the djb way
> (svscan, his tcp toolkit, etc.) it will work, but trying to make it work
> any other way than exactly how he thinks it should be run is...
> challenging at times.

Yes, DJB's stuff is a bit hard to setup the first time, but once setup
and understood, it rocks. I have been using qmail for a long time and
the only thing thats stopping me from using djbdns in my network is
because of snort. 

cheers
dushyanth
-- 
You have an unusual magnetic personality.  Don't walk too close to
metal objects which are not fastened down.

Dushyanth Harinath
http://www.archeanit.com
http://symonds.net/~dushy



More information about the Techtalk mailing list