While "normal" DNS resolution works by names, from root server down to the authoritative one for the name we are looking for, reverse DNS resolution works within special top-level domain (in-addr.arpa). Within this domain, sub-domains are comprised from octets within IP address in reverse order. Now, if your block of IP addresses ends on byte boundary (e.g. /8, /16, /24) the setup is relatively simple. Otherwise, you upstream provider (the one that holds larger IP address block) has to point to your domain on a per address base.
Let us bring this to more concrete values. Suppose that our public IP address space is 192.0.2.0/24. Also, suppose that your mail server has public IP address 192.0.2.2. In that case, reverse query is sent for name 2.2.0.192.in-addr.arpa and query type is set to PTR, i.e. we are looking for a name 2 within 2.0.192.in-addr.arpa zone.
So, it's relatively easy to setup reverse DNS. You need to define appropriate zones that include only network part of your IP addresses. In our case we have two zones, but IP addresses used for one of them depends on who's asking (client from the local network or client on the Internet). So, we have three zones in effect:
- DMZ, when asked by local clients, is in the network 10.0.0.0/24. This means we have reverse zone 0.0.10.in-addr.arpa for local clients.
- DMZ, when asked by internet clients, is in the network 192.0.2.0/24. This means that for them reverse zone is 2.0.192.in-addr.arpa.
- Finally, clients in local network (non-DMZ one) have IP addresses from a block 172.16.1.0/24 and so they are placed within reverse zone 1.16.172.in-addr.arpa.
zone "0.0.10.in-addr.arpa" {And within internet view you should add the following zone statement:
type master;
file "example-domain.com.local.rev";
};
zone "1.16.172.in-addr.arpa" {
type master;
file "example-domain.local.rev";
};
zone "2.0.192.in-addr.arpa" {Then, you should create the three zone files (example-domain.com.local.rev, example-domain.local.rev, and example-domain.com.rev) with the following content:
type master;
file "example-domain.com.rev";
};
# cat example-domain.com.local.revDon't forget to change permissions on those files as explained in the previous post. Now, restart BIND and test server:
$TTL 1D
@ IN SOA @ root.example-domain.com. (
2012062601 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example-domain.com.
1 PTR ns1.example-domain.com.
# cat example-domain.local.rev
$TTL 1D
@ IN SOA @ root.example-domain.com. (
2012062601 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example-domain.com.
1 PTR test.example-domain.local.
# cat example-domain.com.rev
$TTL 1D
@ IN SOA @ root.example-domain.com. (
2012062601 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.example-domain.com.
1 PTR ns1.example-domain.com.
# nslookup ns1.example-domain.com 127.0.0.1As it can be seen, DNS server correctly handles request for IP addres 10.0.0.1 and returns ns1.sistemnet.hr. Let's try with a name from LAN:
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ns1.example-domain.com
Address: 10.0.0.1
[root@ipa ~]# nslookup 10.0.0.1 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
1.0.0.10.in-addr.arpa name = ns1.example-domain.com.
# nslookup test.example-domain.local 127.0.0.1That one is correct too. So, that's it, you have reverse DNS correctly configured. Testing from the outside I'm leaving to you as an exercise. ;)
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ipa.example-domain.local
Address: 192.0.2.1
[root@ipa named]# nslookup 192.0.2.1 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
1.2.0.192.in-addr.arpa name = test.example-domain.local
No comments:
Post a Comment