[SOLVED] Bind DNS reverse lookup not worked well.

bestard · 05-14-2018, 03:03 AM

We have a network domain 172.26.80.0/21,
and I'm trying to build my test DNS server under the same domain.
My thought is I will create my DNS zone, if query can't not be found in my zone, then it forward to the upper level DNS to lookup.

I have four test VMs under my domain and upper DNS has no records.
HOSTNAME IP
------------------------
mastest 172.26.80.149
slvtest 172.26.80.151
client1 172.26.80.150
client2 172.26.80.152

I used dig to test my DNS, I can queried a host inside or not inside my zone without questions.

Code:

[root@slvtest user1]# dig client2.mydomain.com   --> in my zone

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> client2.mydomain.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38964
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;client2.mydomain.com.          IN      A

;; ANSWER SECTION:
client2.mydomain.com.   600     IN      A       172.26.80.152

;; AUTHORITY SECTION:
mydomain.com.           600     IN      NS      ws.mydomain.com.

;; ADDITIONAL SECTION:
ws.mydomain.com.        600     IN      A       172.26.80.149

;; Query time: 0 msec
;; SERVER: 172.26.80.149#53(172.26.80.149)
;; WHEN: Mon May 14 15:50:48 2018
;; MSG SIZE  rcvd: 87

[root@slvtest user1]# dig cms8.wsdmn.com --> in upper DNS

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> cms8.wsdmn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21926
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 11

;; QUESTION SECTION:
;cms8.wsdmn.com.              IN      A

;; ANSWER SECTION:
cms8.wsdmn.com.       776     IN      A       172.26.80.208

;; AUTHORITY SECTION:
.                       81461   IN      NS      d.root-servers.net.
.                       81461   IN      NS      i.root-servers.net.
.                       81461   IN      NS      c.root-servers.net.
.                       81461   IN      NS      j.root-servers.net.

;; Query time: 0 msec
;; SERVER: 172.26.80.149#53(172.26.80.149)
;; WHEN: Mon May 14 15:51:06 2018
;; MSG SIZE  rcvd: 437

But when I tried reverse lookup, I can't query hosts in upper DNS; However, It worked well to query hosts in my zone.

Code:

[root@slvtest user1]# dig -x 172.26.80.152  --> in my zone

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 172.26.80.152
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48188
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;152.80.26.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
152.80.26.172.in-addr.arpa. 600 IN      PTR     client2.mydomain.com.

;; AUTHORITY SECTION:
80.26.172.in-addr.arpa. 600     IN      NS      ws.mydomain.com.

;; ADDITIONAL SECTION:
ws.mydomain.com.        600     IN      A       172.26.80.149

[root@slvtest user1]# dig -x 172.26.80.208  --> in upper dns

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> -x 172.26.80.208
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15728
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;208.80.26.172.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
80.26.172.in-addr.arpa. 600     IN      SOA     ws.mydomain.com. admin.mydomain.com. 20180510 86400 3600 604800 10800

;; Query time: 0 msec
;; SERVER: 172.26.80.149#53(172.26.80.149)
;; WHEN: Mon May 14 15:58:34 2018
;; MSG SIZE  rcvd: 101

I tried adding DNS to the dig command, It worked.

Code:

[root@slvtest user1]# dig @172.26.85.3 -x 172.26.80.208

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @172.26.85.3 -x 172.26.80.208
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47084
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;208.80.26.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
208.80.26.172.in-addr.arpa. 3600 IN     PTR     cms8.wsdmn.com.

;; Query time: 2 msec
;; SERVER: 172.26.85.3#53(172.26.85.3)
;; WHEN: Mon May 14 16:11:12 2018
;; MSG SIZE  rcvd: 74

Is there something I missed? Please help. Thanks.

Bind version: 9.8.2
DNS Server OS: RHEL 6.5

/etc/named.conf

Code:

options {
        listen-on port 53 { any; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };
        recursion yes;
        forwarders {
          172.26.85.3;
          172.26.85.2;
        };
        allow-transfer { none; };

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "mydomain.com" IN {
        type master;
        file "named.mydomain.com";
};

zone "80.26.172.in-addr.arpa" IN {
        type master;
        file "named.172.26.80";
};

zone file: named.mydomain.com

Code:

$TTL 600
@       IN SOA  ws.mydomain.com. admin.mydomain.com. (
                                        20180510        ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@               IN NS   ws.mydomain.com.
ws.mydomain.com.        IN A    172.26.80.149

;Forwarding
mydns.mydomain.com.     IN A    172.26.80.149
wsdns.mydomain.com.     IN CNAME        mydns.mydomain.com.
mastest                 IN CNAME        mydns.mydomain.com.

;clients in my domain
slvtest                 IN A    172.26.80.151
client1                 IN A    172.26.80.150
client2.mydomain.com.   IN A    172.26.80.152

zone file: named.172.26.80

Code:

$TTL 600
@       IN SOA  ws.mydomain.com. admin.mydomain.com. (
                                        20180510        ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@               IN NS   ws.mydomain.com.
149             IN PTR  ws.mydomain.com.

;Reversing
149             IN PTR  mydns.mydomain.com.
150             IN PTR  client1.mydomain.com.
151             IN PTR  slvtest.mydomain.com.
152             IN PTR  client2.mydomain.com.

bathory · 05-14-2018, 04:36 AM

Hi,

Your dns works as expected.
Since it's authoritative for the whole 80.26.172.in-addr.arpa zone, it looks into its zonefile for the 172.26.80.208 PTR record and because it cannot find it, it gives a NXDOMAIN answer.
It won't going to ask an upstream dns if it's authoritative for a zone.

Regards

bestard · 05-14-2018, 05:51 AM

Quote:

Originally Posted by bathory

Hi,

Your dns works as expected.
Since it's authoritative for the whole 80.26.172.in-addr.arpa zone, it looks into its zonefile for the 172.26.80.208 PTR record and because it cannot find it, it gives a NXDOMAIN answer.
It won't going to ask an upstream dns if it's authoritative for a zone.

Regards

Hi bathory,

Thanks for your response.
You mean the question is they are in the same network domain, so there is no way to lookup an upstream dns
if it's an authoritative for a zone when I do a reverse query, am I right??

I was expecting it could go asking the other dns when the 172.26.80.208 PTR record can't be found in my zone.
Is it possible to do that?

Thanks.

bathory · 05-14-2018, 07:37 AM

Quote:

Originally Posted by bestard

Hi bathory,

Thanks for your response.
You mean the question is they are in the same network domain, so there is no way to lookup an upstream dns
if it's an authoritative for a zone when I do a reverse query, am I right??

I was expecting it could go asking the other dns when the 172.26.80.208 PTR record can't be found in my zone.
Is it possible to do that?

Thanks.

Your dns is authoritative for the 80.26.172.in-addr.arpa zone. Meaning that it's the only one that can resolve hosts in that zone.
So if it cannot find an answer (i.e. no PTR record) it will answer authoritatively with a NXDOMAIN and will no more bother to find an answer.

bestard · 05-14-2018, 08:37 PM

Quote:

Originally Posted by bathory

Your dns is authoritative for the 80.26.172.in-addr.arpa zone. Meaning that it's the only one that can resolve hosts in that zone.
So if it cannot find an answer (i.e. no PTR record) it will answer authoritatively with a NXDOMAIN and will no more bother to find an answer.

Thanks.
As you said, I did some tests and confirmed the root cause is my hosts are in the same network domain as the upstream dns.
It's no issue to do a straight dns lookup but when a reverse dns is asked, 80.26.172.in-addr.arpa zone becomes the
authoritative answer and is no way to go upstream dns to find a answer.

If I changed my zone file out of 172.26.80.0/21, the reverse dns lookup worked well to go upstream dns finding answers.

I'll marked this post solved. Thank you.

Regards,