Solved

Reverse DNS

Posted on 2006-10-23
11
357 Views
Last Modified: 2013-12-23
When I go to places like www.dnsstuff.com and do a reverse lookup on my mail relay it will work sometimes and a lot of times it will give timeouts trting to reach it. This is causing me problems sendiing emails to some ISP's because they do reverse lookups for your host name and it does not work half the time. I am using a Sunfire v210 with Solaris 10 as my outside DNS server with a PIX 535 firewall.
0
Comment
Question by:mslibrarycommission
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 40

Expert Comment

by:noci
ID: 17792171
dig is your friend.

try to find out where it fails.

dig -x <yourip>

should tell you the whole story, if not try it up one higher in the tree.
dig -x just means your address 1.2.3.4 is transformed
to:  4.3.2.1.in-addr.arpa.
ask for 4.3.2.1.in-addr.arpa, then 3.2.1.in-addr.arpa
check ns servers (-t ns) for the same and see where it all goes wrong.
0
 
LVL 1

Author Comment

by:mslibrarycommission
ID: 17796135
Here are the resultls from that, it worked the first time and failed the next two times.



C:\dig>dig -x 216.79.153.204

; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1539
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;204.153.79.216.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
204.153.79.216.in-addr.arpa. 38400 IN   PTR     mail.mlc.lib.ms.us.

;; Query time: 234 msec
;; SERVER: 205.152.37.23#53(205.152.37.23)
;; WHEN: Tue Oct 24 09:22:26 2006
;; MSG SIZE  rcvd: 77


C:\dig>dig -x 216.79.153.204

; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;204.153.79.216.in-addr.arpa.   IN      PTR

;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.37.23)
;; WHEN: Tue Oct 24 09:22:43 2006
;; MSG SIZE  rcvd: 45


C:\dig>dig -x 216.79.153.204

; <<>> DiG 9.3.2 <<>> -x 216.79.153.204
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 85
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;204.153.79.216.in-addr.arpa.   IN      PTR

;; Query time: 187 msec
;; SERVER: 205.152.37.23#53(205.152.37.23)
;; WHEN: Tue Oct 24 09:22:53 2006
;; MSG SIZE  rcvd: 45


C:\dig>
0
 
LVL 40

Expert Comment

by:noci
ID: 17796433
SERVFAIL indicates an error on the nameserver (205.152.37.23)
not a timeout problem.
You need to inspect it's logfiles to see what the error actualy is.

I do get back some config errors:

The soa record in:
dig -t ns -x 216.79.153.204

returns:
153.79.216.in-addr.arpa. 10574  IN      SOA     mercury. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400

This should have been:
153.79.216.in-addr.arpa. 10574  IN      SOA     mercury.mlc.lib.ms.us. smason.mlc.lib.ms.us. 2005101304 10800 3600 604800 38400

I guess there are some configuration problems in the nameserver
as it is not authoritive... (no ns records for its own domains).
Authority has not been setup correctly (ns record within the domains)...
The authority is delegated to:
ns1.msstate.edu.                   (returns SERVFAIL)
sun1.its.state.ms.us.              (returns REFUSED)
mercury.mlc.lib.ms.us.             (cannot resolve the hostname:
                                    mercury.mlc.lib.ms.us)

Look into the logfiles of the name servers involved  
and smason on that domain (mlc.lib.ms.us) should be able to correct things
or that mail address is not configured correctly either.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 40

Expert Comment

by:noci
ID: 17796480
BTW Comands used were:

dig -t ns mail.mlc.lib.ms.us @205.152.37.23
dig -t ns lib.ms.us @205.152.37.23
dig -x 216.79.153.204 @ns1.msstate.edu.
dig -x 216.79.153.204 @sun1.its.state.ms.us.
dig -x 216.79.153.204 @mercury.mlc.lib.ms.us

the 205.152.37.23 btw is dns.asm.bellsouth.net.
and probably asks one of the above three for the reverse address and
either gets an error return or another failure and occasionaly
a normal answer...
0
 
LVL 1

Author Comment

by:mslibrarycommission
ID: 17797186
I made the change to host file 216.79.153.rev on mercury.mlc.lib.ms.us. You should now be getting back  153.79.216.in-addr.arpa. 10574  IN      SOA     mercury.mlc.lib.ms.us.

what do you see wrong now.  I'm responible for just mercury . Thanks!
0
 
LVL 40

Expert Comment

by:noci
ID: 17798031
Even the forward lookup of mercury.mlc.lib.ms.us fails....

Anybody asking for a name needing "authoritive" to be checked ends up with a
unresolvable ns record.

Before fixing reverse lookup dor the forwards first.

dig  mercury.mlc.lib.ms.us +trace

; <<>> DiG 9.3.2 <<>> mercury.mlc.lib.ms.us +trace
;; global options:  printcmd
.                       18759   IN      NS      i.root-servers.net.
.                       18759   IN      NS      j.root-servers.net.
.                       18759   IN      NS      k.root-servers.net.
.                       18759   IN      NS      l.root-servers.net.
.                       18759   IN      NS      m.root-servers.net.
.                       18759   IN      NS      a.root-servers.net.
.                       18759   IN      NS      b.root-servers.net.
.                       18759   IN      NS      c.root-servers.net.
.                       18759   IN      NS      d.root-servers.net.
.                       18759   IN      NS      e.root-servers.net.
.                       18759   IN      NS      f.root-servers.net.
.                       18759   IN      NS      g.root-servers.net.
.                       18759   IN      NS      h.root-servers.net.
;; Received 436 bytes from 192.168.6.1#53(192.168.6.1) in 4 ms

us.                     172800  IN      NS      A.GTLD.BIZ.
us.                     172800  IN      NS      B.GTLD.BIZ.
us.                     172800  IN      NS      C.GTLD.BIZ.
;; Received 143 bytes from 192.36.148.17#53(i.root-servers.net) in 28 ms

lib.ms.us.              900     IN      NS      mercury.mlc.lib.ms.us.
lib.ms.us.              900     IN      NS      SUN1.ITS.STATE.ms.us.
;; Received 114 bytes from 209.173.53.162#53(A.GTLD.BIZ) in 102 ms

dig: couldn't get address for 'mercury.mlc.lib.ms.us': not found


And there it goes wrong...
For lib.ms.us two name servers are appointed:
- mercury.mlc.lib.ms.us
- sun1.its.state.ms.us

And no address for mercury.mlc.lib.ms.us can be resolved.

0
 
LVL 40

Expert Comment

by:noci
ID: 17798170
dig  mail.mlc.lib.ms.us @ns1.msstate.edu. +trace

; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu. +trace
; (1 server found)
;; global options:  printcmd
.                       358555  IN      NS      K.ROOT-SERVERS.NET.
.                       358555  IN      NS      L.ROOT-SERVERS.NET.
.                       358555  IN      NS      M.ROOT-SERVERS.NET.
.                       358555  IN      NS      A.ROOT-SERVERS.NET.
.                       358555  IN      NS      B.ROOT-SERVERS.NET.
.                       358555  IN      NS      C.ROOT-SERVERS.NET.
.                       358555  IN      NS      D.ROOT-SERVERS.NET.
.                       358555  IN      NS      E.ROOT-SERVERS.NET.
.                       358555  IN      NS      F.ROOT-SERVERS.NET.
.                       358555  IN      NS      G.ROOT-SERVERS.NET.
.                       358555  IN      NS      H.ROOT-SERVERS.NET.
.                       358555  IN      NS      I.ROOT-SERVERS.NET.
.                       358555  IN      NS      J.ROOT-SERVERS.NET.
;; Received 436 bytes from 130.18.80.12#53(130.18.80.12) in 183 ms

us.                     172800  IN      NS      a.gtld.biz.
us.                     172800  IN      NS      b.gtld.biz.
us.                     172800  IN      NS      c.gtld.biz.
;; Received 140 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 14 ms

lib.ms.us.              900     IN      NS      SUN1.ITS.STATE.ms.us.
lib.ms.us.              900     IN      NS      MERCURY.mlc.lib.ms.us.
;; Received 119 bytes from 209.173.53.162#53(a.gtld.biz) in 102 ms

mail.mlc.lib.ms.us.     38400   IN      A       216.79.153.204
lib.ms.us.              38400   IN      NS      ns1.msstate.edu.
lib.ms.us.              38400   IN      NS      sun1.its.state.ms.us.
lib.ms.us.              38400   IN      NS      mercury.mlc.lib.ms.us.
;; Received 148 bytes from 192.42.4.39#53(SUN1.ITS.STATE.ms.us) in 139 ms
--------------------------------------------------

Or spot the difference in these (all authoritive for your domain):


-------------------------------------------
dig  mail.mlc.lib.ms.us @ns1.msstate.edu.

; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @ns1.msstate.edu.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.mlc.lib.ms.us.            IN      A

;; ANSWER SECTION:
mail.mlc.lib.ms.us.     38237   IN      A       216.79.153.204

;; AUTHORITY SECTION:
lib.ms.us.              36376   IN      NS      ns1.msstate.edu.
lib.ms.us.              36376   IN      NS      sun1.its.state.ms.us.
lib.ms.us.              36376   IN      NS      mercury.mlc.lib.ms.us.

;; ADDITIONAL SECTION:
ns1.msstate.edu.        7200    IN      A       130.18.80.12
sun1.its.state.ms.us.   86400   IN      A       192.42.4.39

;; Query time: 158 msec
;; SERVER: 130.18.80.12#53(130.18.80.12)
;; WHEN: Tue Oct 24 20:31:33 2006
;; MSG SIZE  rcvd: 164
------------------
dig  mail.mlc.lib.ms.us @MERCURY.mlc.lib.ms.us.
dig: couldn't get address for 'MERCURY.mlc.lib.ms.us.': not found
-------------------
dig  mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.

; <<>> DiG 9.3.2 <<>> mail.mlc.lib.ms.us @SUN1.ITS.STATE.ms.us.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43385
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.mlc.lib.ms.us.            IN      A

;; ANSWER SECTION:
mail.mlc.lib.ms.us.     38400   IN      A       216.79.153.204

;; AUTHORITY SECTION:
lib.ms.us.              38400   IN      NS      sun1.its.state.ms.us.
lib.ms.us.              38400   IN      NS      mercury.mlc.lib.ms.us.
lib.ms.us.              38400   IN      NS      ns1.msstate.edu.

;; ADDITIONAL SECTION:
sun1.its.state.ms.us.   86400   IN      A       192.42.4.39
--------------------------

Upper/lowercase is no issue in DNS,
missing forward resolutions doesn't work.

After that reverse lookups sometimes don't work.

BTW, if a host has more than one name use CNAME's for all but the one that should
fit the PTR, the PTR has an A associated and vica versa.


0
 
LVL 1

Author Comment

by:mslibrarycommission
ID: 17798322
I don't understand, I have both these entries in the host and reverse lookup files:

54.153.79.216.in-addr.arpa.    IN      PTR     mercury.mlc.lib.ms.us.

mercury.mlc.lib.ms.us   IN        A       216.79.153.254
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 17798871
The IP address isn't exposed to the outside somehow.
But the A record is not visible on the outside.

The dig +trace above shows that the name servers
more upstream don't know about this one.

So it's not an immediate fault on YOUR dns but the one that
services lib.ms.us there is a NS record, but no A record at that DNS.
that points to you, so how should an outside node be able to find your DNS.

There are three NS records that are kept for a short while somewhere up stream
that needs it for resolution, depending on the server you ask you wil either get
answer or not. (that's the case if mercury is mentioned as the first NS record.



0
 
LVL 1

Author Comment

by:mslibrarycommission
ID: 17802865
I appreciate your help noci, I have just taken over DNS here a year ago and I'm still learning. Anything else will be appreciated. It looks like I need to get efficient with "DIG".  
0
 
LVL 40

Expert Comment

by:noci
ID: 17802909
And make sure you can test your DNS setup through extern connections.
Your view on the inside might not be the same as on the outside.

And yes, dig is you dns tracing tool.

'man dig' is a good starter, happy ns'ing
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question