bind9 on debian not providing reverse lookups to remote machines.

slybob · 06-15-2007, 06:38 AM

I can do recursive lookups, so port 53 has to be open.

Code:

andrew@andrew-laptop:~$ dig www.google.co.uk @ns.moognu.co.uk

; <<>> DiG 9.3.2 <<>> www.google.co.uk @ns.moognu.co.uk
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17903
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.co.uk.              IN      A

;; ANSWER SECTION:
www.google.co.uk.       297888  IN      CNAME   www.google.com.
www.google.com.         557088  IN      CNAME   www.l.google.com.
www.l.google.com.       300     IN      A       66.102.9.99
www.l.google.com.       300     IN      A       66.102.9.104
www.l.google.com.       300     IN      A       66.102.9.147

;; AUTHORITY SECTION:
l.google.com.           38688   IN      NS      d.l.google.com.
l.google.com.           38688   IN      NS      e.l.google.com.
l.google.com.           38688   IN      NS      f.l.google.com.
l.google.com.           38688   IN      NS      g.l.google.com.
l.google.com.           38688   IN      NS      a.l.google.com.
l.google.com.           38688   IN      NS      b.l.google.com.
l.google.com.           38688   IN      NS      c.l.google.com.

;; Query time: 172 msec
;; SERVER: 89.106.176.158#53(89.106.176.158)
;; WHEN: Fri Jun 15 09:10:44 2007
;; MSG SIZE  rcvd: 242

But not reverse lookups for zone that the server is master for (if that makes sense;

Code:

andrew@andrew-laptop:~$ dig -x 89.106.176.158 @ns.moognu.co.uk

; <<>> DiG 9.3.2 <<>> -x 89.106.176.158 @ns.moognu.co.uk
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

but I can do reverse lookups if I'm on the local network ?!!,

Code:

debian:~# dig -x 89.106.176.157 @192.168.101.200

; <<>> DiG 9.3.4 <<>> -x 89.106.176.157 @192.168.101.200
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58934
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;157.176.106.89.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
157.176.106.89.in-addr.arpa. 259200 IN  PTR     mail.moonet.co.uk.

;; AUTHORITY SECTION:
176.106.89.in-addr.arpa. 259200 IN      NS      ns.moognu.co.uk.

;; ADDITIONAL SECTION:
ns.moognu.co.uk.        259200  IN      A       89.106.176.158

;; Query time: 2 msec
;; SERVER: 192.168.101.200#53(192.168.101.200)
;; WHEN: Fri Jun 15 09:16:55 2007
;; MSG SIZE  rcvd: 116

So why can I do master reverse lookups on the local network but not remotely? any ideas?

Cheers,

Andy

JimBass · 06-15-2007, 04:03 PM

You are not authoritative for that IP. Reverse addresses screw many people up. BIND ships in most distros with it prepared to give reverse answers, but the vast majority of public sites don't get to do their own reverse mappings. You can map a private network in reverse as you are authoritative for it, but just because you are given a public IP address doesn't make you authoritative for it. You generally need a full class C of public addresses (256 total addresses) before you can do reverse mappings for the public internet.

It works when you query on the LAN because you are the first DNS queried from the LAN. If you told your DNS server you're authoritative for google.co.uk (which you aren't), it would answer, although nobody outside of your LAN would ask you for google.co.uk addresses.

Here is who actually is responsible for the IP address in question -

Code:

jim@jimsworktop:~$ whois 89.106.176.158
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '89.106.176.0 - 89.106.183.255'

inetnum:        89.106.176.0 - 89.106.183.255
netname:        UK-ILAND-20060405
descr:          iland Internet Solutions Inc.
country:        GB
org:            ORG-iISI1-RIPE
admin-c:        HRR25-RIPE
tech-c:         NOC91-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-HRR25-RIPE
mnt-routes:     MNT-HRR25-RIPE
mnt-domains:    MNT-HRR25-RIPE
source:         RIPE # Filtered

organisation:   ORG-iISI1-RIPE
org-name:       iland Internet Solutions Inc.
org-type:       LIR
address:        7 PRIMROSE HILL
address:        CM1 2RQ
address:        CHELMSFORD, ESSEX
address:        United Kingdom
phone:          +442070960149
fax-no:         +17138682268
admin-c:        HRR25-RIPE
admin-c:        BU161-RIPE
admin-c:        NOC91-RIPE
mnt-ref:        MNT-HRR25-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

role:           Network Operations
address:        7 PRIMROSE HILL  CHELMSFORD ESSEX  CM1 2RQ UNITED KINGDOM
abuse-mailbox:  abuse@iland.com
admin-c:        HRR25-RIPE
tech-c:         HRR25-RIPE
nic-hdl:        NOC91-RIPE
source:         RIPE # Filtered

person:         Hermes Rubio
address:        7 PRIMROSE HILL  CHELMSFORD ESSEX  CM1 2RQ UNITED KINGDOM
abuse-mailbox:  abuse@iland.com
phone:          +442070960149
nic-hdl:        HRR25-RIPE
source:         RIPE # Filtered

So those guys control all the reverse mappings for the addresses 89.106.176.0 - 89.106.183.255. You'd have to have them create the PTR for you, or authorize your server to answer authoritatively in reverse mappings for your IPs. I can promise you they won't do that. They have 8 class C addresses, and unless you had one of them in full, they won't forward PTR requests to you.

Peace,
JimBass

slybob · 06-15-2007, 06:52 PM

Read up RFC 2317 - Classless IN-ADDR.ARPA delegation

http://www.faqs.org/rfcs/rfc2317.html

Sure I could let them do it but where's the fun in that!?

Im having some weird UDP errors which is sending everything to cock and I dont think iland (my hosts) have delegated properly, They haven't sorted out the CNAME record. I still dont quite understand whats going on, should get to grips tomorrow. Below you can see the trace for both the IP's Im trying to setup reverse for. ns.moognu.co.uk is me.

I need more dig lessons.

Sure it will all work out in the ttl

Andy

Code:

andrew@andrew-laptop:~$ dig -x 89.106.176.158 @dns1.iland.com +trace +tcp

; <<>> DiG 9.3.2 <<>> -x 89.106.176.158 @dns1.iland.com +trace +tcp
; (1 server found)
;; global options:  printcmd
.                       76423   IN      NS      L.ROOT-SERVERS.NET.
.                       76423   IN      NS      M.ROOT-SERVERS.NET.
.                       76423   IN      NS      A.ROOT-SERVERS.NET.
.                       76423   IN      NS      B.ROOT-SERVERS.NET.
.                       76423   IN      NS      C.ROOT-SERVERS.NET.
.                       76423   IN      NS      D.ROOT-SERVERS.NET.
.                       76423   IN      NS      E.ROOT-SERVERS.NET.
.                       76423   IN      NS      F.ROOT-SERVERS.NET.
.                       76423   IN      NS      G.ROOT-SERVERS.NET.
.                       76423   IN      NS      H.ROOT-SERVERS.NET.
.                       76423   IN      NS      I.ROOT-SERVERS.NET.
.                       76423   IN      NS      J.ROOT-SERVERS.NET.
.                       76423   IN      NS      K.ROOT-SERVERS.NET.
;; Received 436 bytes from 65.57.248.5#53(65.57.248.5) in 142 ms

89.in-addr.arpa.        86400   IN      NS      ns.lacnic.net.
89.in-addr.arpa.        86400   IN      NS      sec1.apnic.net.
89.in-addr.arpa.        86400   IN      NS      sec3.apnic.net.
89.in-addr.arpa.        86400   IN      NS      sunic.sunet.se.
89.in-addr.arpa.        86400   IN      NS      ns-pri.ripe.net.
89.in-addr.arpa.        86400   IN      NS      tinnie.arin.net.
;; Received 196 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 5894 ms

176.106.89.in-addr.arpa. 172800 IN      NS      dns3.iland.com.
176.106.89.in-addr.arpa. 172800 IN      NS      dns2.iland.com.
176.106.89.in-addr.arpa. 172800 IN      NS      dns1.iland.com.
;; Received 111 bytes from 200.160.0.7#53(ns.lacnic.net) in 244 ms

158.176.106.89.in-addr.arpa. 3600 IN    NS      ns.moognu.co.uk.
;; Received 74 bytes from 64.154.20.10#53(dns3.iland.com) in 152 ms

158.176.106.89.in-addr.arpa. 259200 IN  PTR     ns.moognu.co.uk.
176.106.89.in-addr.arpa. 259200 IN      NS      ns.moognu.co.uk.
;; Received 104 bytes from 89.106.176.158#53(ns.moognu.co.uk) in 20 ms

andrew@andrew-laptop:~$ dig -x 89.106.176.157 @dns1.iland.com +trace +tcp

; <<>> DiG 9.3.2 <<>> -x 89.106.176.157 @dns1.iland.com +trace +tcp
; (1 server found)
;; global options:  printcmd
.                       76391   IN      NS      E.ROOT-SERVERS.NET.
.                       76391   IN      NS      F.ROOT-SERVERS.NET.
.                       76391   IN      NS      G.ROOT-SERVERS.NET.
.                       76391   IN      NS      H.ROOT-SERVERS.NET.
.                       76391   IN      NS      I.ROOT-SERVERS.NET.
.                       76391   IN      NS      J.ROOT-SERVERS.NET.
.                       76391   IN      NS      K.ROOT-SERVERS.NET.
.                       76391   IN      NS      L.ROOT-SERVERS.NET.
.                       76391   IN      NS      M.ROOT-SERVERS.NET.
.                       76391   IN      NS      A.ROOT-SERVERS.NET.
.                       76391   IN      NS      B.ROOT-SERVERS.NET.
.                       76391   IN      NS      C.ROOT-SERVERS.NET.
.                       76391   IN      NS      D.ROOT-SERVERS.NET.
;; Received 436 bytes from 65.57.248.5#53(65.57.248.5) in 1341 ms

89.in-addr.arpa.        86400   IN      NS      TINNIE.ARIN.NET.
89.in-addr.arpa.        86400   IN      NS      SEC1.APNIC.NET.
89.in-addr.arpa.        86400   IN      NS      SUNIC.SUNET.SE.
89.in-addr.arpa.        86400   IN      NS      NS.LACNIC.NET.
89.in-addr.arpa.        86400   IN      NS      SEC3.APNIC.NET.
89.in-addr.arpa.        86400   IN      NS      NS-PRI.RIPE.NET.
;; Received 196 bytes from 192.203.230.10#53(E.ROOT-SERVERS.NET) in 162 ms

176.106.89.in-addr.arpa. 172800 IN      NS      dns1.iland.com.
176.106.89.in-addr.arpa. 172800 IN      NS      dns3.iland.com.
176.106.89.in-addr.arpa. 172800 IN      NS      dns2.iland.com.
;; Received 111 bytes from 199.43.0.53#53(TINNIE.ARIN.NET) in 99 ms

157.176.106.89.in-addr.arpa. 3600 IN    NS      ns.moognu.co.uk.
;; Received 74 bytes from 64.154.20.10#53(dns3.iland.com) in 150 ms

157.176.106.89.in-addr.arpa. 259200 IN  PTR     mail.moonet.co.uk.
176.106.89.in-addr.arpa. 259200 IN      NS      ns.moognu.co.uk.
;; Received 116 bytes from 89.106.176.158#53(ns.moognu.co.uk) in 20 ms