LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Reverse dns of a dmz host (https://www.linuxquestions.org/questions/linux-newbie-8/reverse-dns-of-a-dmz-host-4175561441/)

noob__ 12-14-2015 02:06 PM
Reverse dns of a dmz host
 
To setup a reverse dns of a dmz host it must be the public ip or the local ip?

MensaWater 12-15-2015 07:58 AM
As the name implies it should be the "reverse" of your "forward" lookup.

If someone does "dig yourhost.example.com" and it resolves it as an external IP then any reverse you'd make should be for that same external (public) IP. If on the other hand it resolves and internal (local) IP then the reverse should be for that IP.

Often for a DMZ host you have at least 2 IPs - the one you reach it by internally and the one you reach it by externally. This could be two different NICs on the server itself. You might have another device (load balancer, firewall) that is setting up yet another IP provided by your internet provider and doing address translation to your server's external NIC's IP. If that were the case your external reverse should be pointing to that internet IP rather than the server's external NIC's IP.

e.g.
10.12.7.1 Internal NIC IP > DMZ SERVER < 10.14.7.1 Extenal NIC IP < 204.15.9.14 NATed Internet IP

In above for internal users you'd make the reverse point to 10.12.7.1. For external users you'd make the reverse point to 204.15.9.14. Often for DMZ hosts you are doing both.

Note that for reverse zones just like forward zones you have to be authoritative for the IP range for reverse lookups to go to you. For internal networks you can make yourself authoritative but for external you usually have to get your internet provider to delegate the IP to your DNS servers much as you have to have domain Registrars point to your DNS servers for forward lookups. Usually this requires you to send them something asking them to do it for you because unlike Registrar's they don't have a place for you to login and do it yourself. (Rather than delegating if you only have 1 IP you might get them to add the reverse to their own DNS setup.)

noob__ 12-15-2015 11:21 PM
Thank you very much for your answer. :)

It's possible that the reversed ip to point to a domain which the dmz does not own yet?

MensaWater 12-16-2015 07:40 AM
Yes.

You can point any entry you are authoritative for to other entries for which you are not authoritative. You can create a CNAME from www.mydomain.com to www.google.com if you wanted to but you'd never be able to change where www.google.com itself points. You can create a PTR (reverse) to point your IP to www.google.com but that won't change the IP of www.google.com on forward lookups.

Reverse records are in general not "required" but are there to help others determine what an IP is pointing to so are a good idea for troubleshooting by others who might need to contact you. Some mail servers/services refuse to accept mail from domains that don't have reverse records and some go as far as refusing if they deem it a "generic" reverse rather than one that tells it a specific forward record that can be resolved. If you create no reverse yourself you'll usually see a "generic" from the internet provider that simply tells people they own a range of IPs.


All times are GMT -5. The time now is 10:39 PM.