From owner-freebsd-questions Mon Nov 1 15:32:20 1999 Delivered-To: freebsd-questions@freebsd.org Received: from copland.udel.edu (copland.udel.edu [128.175.13.92]) by hub.freebsd.org (Postfix) with ESMTP id DC78614C81 for ; Mon, 1 Nov 1999 15:32:16 -0800 (PST) (envelope-from papalia@UDel.Edu) Received: from morgaine (host75-157.student.udel.edu [128.175.75.157]) by copland.udel.edu (8.9.3/8.9.3) with SMTP id SAA00894; Mon, 1 Nov 1999 18:32:11 -0500 (EST) Message-Id: <4.1.19991101182721.0094a470@mail.udel.edu> X-Sender: papalia@mail.udel.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 01 Nov 1999 18:32:07 -0500 To: Alec Kloss , freebsd-questions@freebsd.org From: John Subject: Re: Reverse DNS lookup In-Reply-To: <199911011954.NAA05346@D2SI.COM> References: <4.1.19991031213125.009407e0@mail.udel.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG That all makes a bunch more sense now. (it will take some time to understand, but it makes more sense =) ). Looking at the IP's that are giving me trouble, they seem to all fall into the same boat. One last question on the topic... does having users w/o reverse lookups present any security holes, or set up any situations what require additional configuration for services? I'm not sure how to narrow down the question any more than that. Thanks again!!! --John >> >> >> >> merlin# nslookup 63.224.53.3 >> >> Server: copland.udel.edu >> >> Address: 128.175.xx.xx >> >> *** copland.udel.edu can't find 63.224.53.3: Non-existent host/domain >> > >> >That's cause there is no reverse for that IP. It's from a /25 subnet >> >and US West probably doesn't delegate less than a /24 for in-addr.arpa > >Actually, they do, but they're not doing it exactly in line with the >RFC for reasons involving their internal DNS management software. I >had to get a friend of mine who works there to set it up. They use NS >records on each address to point it to your own nameservers. Check >out 63.224.10.1. > >It does appear that 63.224.53.3 is not assigned a reverse. > >> Could you do me a favor and explain all that? I have no idea what /25 >> subnet and in-addr.arpa actually mean :) > >/25 subnet means the first 25 bits of the address correspond to a >network and the last 7 correspond to a particular node on that >network. Once upon a time, it was assumed that addresses less than >127.0.0.0 were /8 (aka. Class A), but this is no longer true. It >appears that Network Solutions divided 63.x.x.x into /12 > >Default Server: localhost.d2si.com >Address: 127.0.0.1 > >> set type=ptr >> 224.63.in-addr.arpa >Server: localhost.d2si.com >Address: 127.0.0.1 > >224.63.in-addr.arpa > origin = ns1.uswest.net > mail addr = hostmaster.uswest.net > serial = 318 > refresh = 28800 (8H) > retry = 7200 (2H) > expire = 604800 (1W) > minimum ttl = 86400 (1D) >> 63.in-addr.arpa >Server: localhost.d2si.com >Address: 127.0.0.1 > >Authoritative answers can be found from: >IN-ADDR.arpa > origin = A.ROOT-SERVERS.NET > mail addr = hostmaster.INTERNIC.NET > serial = 1999110102 > refresh = 1800 (30M) > retry = 900 (15M) > expire = 604800 (1W) > minimum ttl = 86400 (1D) > >The in-addr.arpa DNS domain is used for reverse lookups. The idea is >that reverse lookups should be delegated like forward ones are, in a >hierarchical fashion. So, to find the name for a given address, you >follow a hierarchy like this: >arpa contains in-addr contains 63 contains 224 contains 53 contains 3, >so you construct a DNS query for the name > 3.53.224.63.in-addr.arpa. >Also, note that you are looking for a particular type of record, a PTR >record, so you should tell nslookup that using > set type=ptr > >The problem with the above hierarchical scheme is that authority for >reverse lookups no longer necessarily falls at the dots. So, the >original scheme assumed that every address like 63.224.53.* was >controlled by the same entity. It is becoming increasingly common for >this not to be the case, so USWest is using a NS record to delegate >the responsibility, like this: > >ajk@hamlet ~% nslookup >Default Server: localhost.d2si.com >Address: 127.0.0.1 > >> server ns1.uswest.net >Default Server: ns1.uswest.net >Address: 204.147.80.5 > >> set type=ns >> 1.10.224.63.in-addr.arpa >Server: ns1.uswest.net >Address: 204.147.80.5 > >Non-authoritative answer: >1.10.224.63.in-addr.arpa nameserver = hamlet.d2si.com >1.10.224.63.in-addr.arpa nameserver = othello.d2si.com > >Authoritative answers can be found from: >hamlet.d2si.com internet address = 63.224.10.2 >othello.d2si.com internet address = 63.224.10.1 >> 3.53.224.63.in-addr.arpa >Server: ns1.uswest.net >Address: 204.147.80.5 > >*** ns1.uswest.net can't find 3.53.224.63.in-addr.arpa: Non-existent >host/domain > > >They clearly have not set this up yet for whoever this 63.224.53.3 box >is. > > >> And if that's the case (above) then that might be the problem on all my >> reverse lookups that go bad. In essence all the problems I'm having are >> with people using their desktops at work who ssh into my box. But when I >> try out nslookup on servers from, for example, my old ISP, it works fine >> both ways. > >If you're saying that your old ISPs nameservers can resolve >63.224.53.3, they have probably assumed control of the network >erronously. If I am correct, your school should be able to resolve >63.224.10.1 (it can) but your old ISP will probably NOT be able to >resolve 63.224.10.1. > >Hope this helps clear things up a bit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message