LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-14-2015, 02:06 PM   #1
noob__
LQ Newbie
 
Registered: Apr 2014
Posts: 11

Rep: Reputation: Disabled
Reverse dns of a dmz host


To setup a reverse dns of a dmz host it must be the public ip or the local ip?
 
Old 12-15-2015, 07:58 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,870
Blog Entries: 14

Rep: Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112
As the name implies it should be the "reverse" of your "forward" lookup.

If someone does "dig yourhost.example.com" and it resolves it as an external IP then any reverse you'd make should be for that same external (public) IP. If on the other hand it resolves and internal (local) IP then the reverse should be for that IP.

Often for a DMZ host you have at least 2 IPs - the one you reach it by internally and the one you reach it by externally. This could be two different NICs on the server itself. You might have another device (load balancer, firewall) that is setting up yet another IP provided by your internet provider and doing address translation to your server's external NIC's IP. If that were the case your external reverse should be pointing to that internet IP rather than the server's external NIC's IP.

e.g.
10.12.7.1 Internal NIC IP > DMZ SERVER < 10.14.7.1 Extenal NIC IP < 204.15.9.14 NATed Internet IP

In above for internal users you'd make the reverse point to 10.12.7.1. For external users you'd make the reverse point to 204.15.9.14. Often for DMZ hosts you are doing both.

Note that for reverse zones just like forward zones you have to be authoritative for the IP range for reverse lookups to go to you. For internal networks you can make yourself authoritative but for external you usually have to get your internet provider to delegate the IP to your DNS servers much as you have to have domain Registrars point to your DNS servers for forward lookups. Usually this requires you to send them something asking them to do it for you because unlike Registrar's they don't have a place for you to login and do it yourself. (Rather than delegating if you only have 1 IP you might get them to add the reverse to their own DNS setup.)
 
1 members found this post helpful.
Old 12-15-2015, 11:21 PM   #3
noob__
LQ Newbie
 
Registered: Apr 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thank you very much for your answer.

It's possible that the reversed ip to point to a domain which the dmz does not own yet?
 
Old 12-16-2015, 07:40 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,870
Blog Entries: 14

Rep: Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112
Yes.

You can point any entry you are authoritative for to other entries for which you are not authoritative. You can create a CNAME from www.mydomain.com to www.google.com if you wanted to but you'd never be able to change where www.google.com itself points. You can create a PTR (reverse) to point your IP to www.google.com but that won't change the IP of www.google.com on forward lookups.

Reverse records are in general not "required" but are there to help others determine what an IP is pointing to so are a good idea for troubleshooting by others who might need to contact you. Some mail servers/services refuse to accept mail from domains that don't have reverse records and some go as far as refusing if they deem it a "generic" reverse rather than one that tells it a specific forward record that can be resolved. If you create no reverse yourself you'll usually see a "generic" from the internet provider that simply tells people they own a range of IPs.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND - reverse dns queries only working locally, forward dns works fine. SloS13 Linux - Networking 3 08-25-2011 12:46 PM
DNS problems, reverse dns working localy but not on other servers. valls Linux - Newbie 1 06-16-2008 06:59 AM
IPTables + DMZ Host XaViaR Linux - Networking 3 10-08-2006 11:38 AM
Can "host" perform reverse DNS'ing? ganninu Linux - Networking 1 11-09-2003 06:41 AM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 07:04 AM


All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration