Solved

DNS delegation

Posted on 2009-07-15
33
1,525 Views
Last Modified: 2013-11-30
I have DNS server under ISP1 & I have registered multiple domain names under this ISP.
Now I have 2nd ISP. I am planning to shift my SMTP traffic to the 2nd ISP. For that I will be making the MX record change to my domains with the ISP 2 IP address.

But i come to know that if i do it there will be problem of reverse lookup & delegation needs to be configured with the ISP 2.

I would like to know what exaclty will happen if i change only the MX record with ISP 2 IP.
 Why should i configure delegation with the ISP 2. What is exactly DNS delegtation
0
Comment
Question by:SrikantRajeev
  • 18
  • 12
  • 3
33 Comments
 
LVL 12

Expert Comment

by:kevin_u
ID: 24866896
It will all depend on how strict the mail servers that send you mail are going to be.

In many cases, it will work just fine.

Most mail servers simply require that a reverse lookup exists, and matches its forward lookup, which could be different from the mx name.

0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24866935
Thank you for your reply. To cater this what should i do.
What should i ask the ISP2 to do so that there will be no problem with the reverse lookup.
0
 
LVL 12

Expert Comment

by:kevin_u
ID: 24866955
Ask ISP2 to be sure that your assigned ip (static ip) has a valid reverse lookup.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24866968
Yes I do have static IP address.

But to have valid reverse lookup what exactlty has to be done in ISP2.

The domain is reserved with the ISP1 which will not change. Only the network is getting changed now.
Pls let us know what exactly to be done in ISP2 to make the reverse dns lookup to work.
Is there any changes to be done in ISP1 also....
0
 
LVL 12

Expert Comment

by:kevin_u
ID: 24866975
No change is needed for ISP1.

You'll have to talk with ISP2 support department to determine if your static IP has a valid reverse lookup.  Various ISPs handle this issue differently.  They may have a tool for you to use, or they may require you to configure a dns server to receive deligated lookups.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24867002
thank you ..
I felt the same. It means in my dns server i need to configure delegation.

Could you please expalin in detail what exact change i need to do in my dns for the delegation.
I am not expecting syntax or command but to understand what i need to do for making the delegation to work,

Sorry i am new to this......

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24867612

> I felt the same. It means in my dns server i need to configure delegation.

I don't believe that to be the case. A delegation allows you to assign responsibility for a (DNS) sub-domain to a different set of servers.

When you registered your domain (depending on how you did that) you will have given two Name Server IP Addresses to the registrar. Those are used to create a delegation from the Top Level Domain servers (e.g. .com) to those who answer for your own domain. You would only modify the existing delegation or create another delegation if you were:

a. Moving the DNS servers to a new host (moving domain.com elsewhere)
b. Creating a sub-domain (e.g. sub.domain.com) which you wanted to host on different DNS servers

If you're maintaining your current DNS hosting then no changes to DNS, except for the MX record, are necessary.

The Reverse Lookup Zone isn't something you can control, you won't own the IP address range used by your new host.

So, what you need is:

1. To change the MX record, or the A record for your mail server so it reflects the new IP address
2. To request that your new host add a PTR record (Reverse Lookup) for your new IP address pointing back at the name of your mail server

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24876563
I got the information from my 2nd ISP that i need to setup reverse lookup at our side & the ISP 2 will do the delegation.

It matches your answer.

Can you guide me how exaclty i need to configure my DNS server for the reverse lookup with my new ISP ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24876582

What DNS software are you running?

In general terms you need to:

1. Create a Reverse Lookup Zone
2. Add PTR records for any hosts

That's very brief and vague though because this also depends on how ISP 2 delegate the zone to you. There are two types of delegation for reverse lookup zones Classful and Classless.

For Classful delegation you would create a zone like 3.2.1.in-addr.arpa for the network range 1.2.3.x. Classless delegation is used when you don't own the entire classful block (255.255.255.0, 255.255.0.0 or 255.0.0.0) and goes like this:

ISP 2 have:  3.2.1.in-addr.arpa

Individual IP addresses are delegated like this:

4.3.2.1.in-addr.arpa.  IN CNAME  4.1-28.3.2.1.in-addr.arpa.

Then your own server would host this zone "1-28.3.2.1.in-addr.arpa" which would finally contain the PTR record:

4.1-28.3.2.1.in-addr.arpa. IN PTR host.domain.com.

Have they told you what they're going to delegate yet?

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24876600
I am running BIND. I will check with my ISP regarding how they are going to delegate it & will get bak to you......
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24876648

Okay. Yell if you need help with the configuration or the zone itself :)

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24901934
Chris - Would like to know the following things.

As I have mentioned I am installing a new DNS servers under ISP2.
Apart from mail there are other services like websites published under ISP1 with their networks.
DNS functionality includes publishing of the A record , MX record , SOA & NS record for our websites.

Take for example I have the following A record -> www.abc.com <--> 1.1.1.1 from ISP1
This is configured on DNS server which is under the ISP1.

While moving to the new DNS server which is under the 2nd ISP IP network  my A record will remain the same but the only thing is it will be published under the DNS server which will be under ISP2 network.
Let me know whether this will work or not ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24902068

Yes it will, that sounds absolutely fine.

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24902075

So in case of only MX record change i need to do the delegation.

My domain name is registered under the ISP1. Can I maintain the same or should i shift the domain registration to my 2nd ISP.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24902091

If ISP2 is taking over DNS for the domain then you just need to reinstate the MX record at ISP2. The MX record can point to any mail server, either at ISP1 or ISP2 (or elsewhere).

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24911025
Hi Chris - Still I have few confusion regarding this.

I am not able to really get the point why i should do the following.....

2. To request that your new host add a PTR record (Reverse Lookup) for your new IP address pointing back at the name of your mail server

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24911330
Hi Chris

I got further information regarding this.
My ISP1 DNS server is configured to do the reverse dns lookup for my mail domains.
But when i tried the same on my DNS server the query request got refused. So it means I need to configure my DNS server to perform the reverse dns lookup.

My query is since my DNS server is not configured for the reverse DNS lookup how it was working fine till now. Will my ISP DNS server will be taking care of all the reverse DNS lookup . If so how ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24912331

Did you ever find out how ISP2 are going to delegate it to you? Or are they going to maintain it themselves?

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24912450
I have escalated to them but not got the feedback. Waiting for it.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24912527

You can see where responsibility lies at the moment with NsLookup.

If your public IP Address was 1.2.3.4 then this query would show you who is responsible:

nslookup -q=ns 3.2.1.in-addr.arpa

If there's no response for that, try:

nslookup -q=ns 2.1.in-addr.arpa

Otherwise, grab Dig (there's a Windows version here: http://members.shaw.ca/nicholas.fong/dig/

Then you can run:

dig 4.3.2.1.in-addr.arpa ptr +trace

Which will show you the full resolution path.

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24912682
I tried the NS lookup on my ISP DNS server & it returned the required lookup.

But when i did the same in my DNS server it replied that Query refused.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24912709

Does your DNS server allow recursive queries? If it doesn't then it would explain why it's refused. It would also suggest that there's no problem (as such).

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24912738
mine is not recursive.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24912742

Then Query Refused is understandable, you'll only give answers for zones you host directly.

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24912765

so in this case if i configure for PTR in my DNS server will it allow to reverse lookup..
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24912804

Either you must be authoritative for the reverse lookup zone, or you must allow recursive name resolution.

Do note that while you may not be able to use your own DNS server to resolve the address (because it's refusing recursion) any DNS that permits recursion will be able to. If I were to ask for your PTR record I would not need to talk to your own DNS server unless you have authority delegated to you for the (reverse lookup) zone. I would only need your DNS server for forward lookup.

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24921498
Chris - I have attached the diagram for reference. In the diagram its mentioned about my current mail flow & the proposed mail flow. The Mail severs mentioned are managed by us,.We also purchased the secondary DNS server services from ISP1.
We ae now shifting the traffic to ISP2. So my ISP 1 suggested to make the reverse dns lookup at our DNS server which is currently not configured & also ISP2 should be configured for delegation.

PLease let me know if this is right.
Mail-flow.GIF
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24922891

I think you're better thinking of the name resolution paths for arpa.

Lets make up two IP blocks for this, 1.2.x.x (2.1.in-addr.arpa) for ISP1 and 3.2.x.x (3.2.in-addr.arpa) for ISP2. We'll say that 1.2.1.x and 3.2.1.x are the IP blocks you use for the purposes of illustration. This is the approximate delegation structure:


                               Root DNS Servers (a to m.root-servers.net)
                                                             |
                                                             |  Delegation of arpa to Regional Internet Registries
                                                             |
                                 RIR (ARIN, RIPE, APNIC, LACNIC, AfriNIC)
                                                  /                         \
            Delegation of 1.2.x.x    /                            \      Delegation of 3.2.x.x
                                               /                               \
                                            ISP 1                         ISP 2
                                                \                             /
            Delegation of 1.2.1.x     \                          /       Delegation of 3.2.1.x
                                                   \                       /
                                                   Your DNS Server

Clients asking to resolve names from IP Addresses in each of the IP blocks will follow the delegation structure above, which means the only way to get to "3.2.1.x" is via ISP 2.

The piece that's potentially missing at the moment is the delegation from ISP 2 to your DNS server. Either that path must stop at ISP 2 and they give an answer, or a Delegation must be put in place so you can provide the answer.

I hope that makes sense!

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24923010
Chris thanks for the detailed reply.
I am getting the concept now..

My ISP 2 says they will be providing delegation.So in this case I will be providing the answer.
I hope my understanding is right. For this the changes will be done at ISP2 side.

My side will be making the PTR entry as x.x.x.rev
in that file I will be making the entry of the  ISP2 network.
Ex -

; PTR records
;
165            IN      PTR      abc.xyz.com
166            IN      PTR      def.xyz.com


0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24923070

That looks good. Just don't forget to terminate names with "." or the zone name will be appended :)

Chris
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 24923791
Rajeev -
[I tried the NS lookup on my ISP DNS server & it returned the required lookup.

But when i did the same in my DNS server it replied that Query refused.]

Chris
[Does your DNS server allow recursive queries? If it doesn't then it would explain why it's refused. It would also suggest that there's no problem (as such).]

Rajeev
I got the reply from my vendor that my DNS  restricts recursion query.
I am not able to understand why recursion query will not give the required lookup.

0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 25165311
thanks
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 31604124
Thanks Chris
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now