[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

reverse DNS problem

We need machines within our network to be able to do a reverse DNS lookup on our external / public-facing IP and have our domain name come back as the result. Right now, it's resolving to a hostname on our ISP side, and as such is giving sendmail a hard time trying to get mail out from inside our network. Our IP is 209.17.x.x - what do we need to do specifically in order to get this working? I've included

Here is what our zone file for our external IP looks like on our internal DNS server:

ORIGIN         x.x.209.IN-ADDR.ARPA.
$TTL            3600

@               SOA     ns1.(omitted).com. (omitted).(omitted).com (
                                1000000027      ; Serial
                                3600            ; Refresh
                                900             ; Retry
                                3600000         ; Expire
                                3600    )       ; Minimum
                NS      ns1.(omitted).com.

1. PTR (omitted).com.


And here is the localhost (127.0.0) zone file:

$ORIGIN         0.0.127.IN-ADDR.ARPA.
$TTL            3600

@               SOA     ns1.omitted.com. omitted. (
                                1000000002      ; Serial
                                3600            ; Refresh
                                900             ; Retry
                                3600000         ; Expire
                                3600    )       ; Minimum
                NS      ns1.omitted.com.
1               PTR     localhost.

And here is our named.conf :


// Generic options

controls {
        inet * allow { any; } keys { "rndc-key"; };
};

//My old key from itpeer was shorter so I just commed to note that.
//key "rndc-key" {
//      algorithm hmac-md5;
//      secret "(omitted)=";
//};

key "rndckey" {
algorithm hmac-md5;
secret "(omitted)";
};

options {
//version               "(omitted).com DNslave/isc-bind";
directory       "/var/named";
auth-nxdomain   yes;
also-notify { 192.168.2.11; };
};


view "internal" {

//match-clients { 192.168.2.0/24; 192.168.0.0/24; 192.168.1.0/24; 192.168.3.0/24; 127.0.0.1/32; };
match-clients { any; };
allow-transfer { 192.168.2.11; };
recursion yes;

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "127.0.0";
};

zone "(omitted1)" {
type master;
file "(omitted1)";
};

zone "(omitted2)" {
type master;
file "(omitted2)";
};
                         
zone "2.168.192.IN-ADDR.ARPA" {
type master;
file "192.168.2";
};

zone "0.168.192.IN-ADDR.ARPA" {
type master;
file "192.168.0";
};

};


Please advise as to what we specifically need to add to make it so when servers on our internal network running sendmail can successfully HELO an smtp server, for example, and have it find our domain name , instead of the ISP hostname.
0
pulseeenergy
Asked:
pulseeenergy
  • 2
  • 2
  • 2
  • +3
1 Solution
 
Encrypted1024Commented:
Your ISP should be able to help you if you want your external IP to reverse resolve to your domain name and not theirs.

For internal resolution you just need to create a zone that is your external domain name and then create an A record for your mail server that points at the internal IP.
0
 
pulseeenergyAuthor Commented:
Hm, alright, thanks! What would be the correct syntax for the zone entry and the record? I'm not sure how to add it in.
0
 
Encrypted1024Commented:
Not sure, what you are running for a DNS server? I am most familiar with Windows DNS so maybe someone can give you exact instructions on how to do it with your DNS server.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
pulseeenergyAuthor Commented:
It's just a RHEL box running the named service, from what I understand. We'd need to see the verbatim entry for our config that we'd need to add so we can get running. Can anyone please advise?

0
 
bevhostCommented:
The reverse DNS for your external IP address is not hosted on your name server.
It is one your ISP's name server.  That is why you need to ask you ISP to do it.

0
 
giltjrCommented:
Well, actually if he is doing his own internal DNS severing and all his internal computers are using his DNS server he can do the reverse lookup.

To setup your own internal DNS server on RH you can read:

http://www.redhat.com/magazine/025nov06/features/dns/
http://www.redhat.com/magazine/026dec06/features/dns/

Now, doing this on your own internal DNS server will NOT help external resolution.  That is, if I try to send e-mail to use I will most likely NOT use your internal DNS servers.  I will use your public DNS servers.

If you want to handle both your forward (name to address) and reverse (address to name) you will need to talk to your ISP so that they will delegate  this to your servers.  However I would recommend against this.
0
 
Jason WatkinsIT Project LeaderCommented:
Helo,

Do you have a primary domain configured as a zone, on your server. You are running a DNS service called BIND, 'named' is the daemon that runs BIND, locally.

192.168.2.11 is the mail server?

I am not sure without more information, but if your internal zone on BIND is using the same domain name as your external web presence there will be issues. I would create a CNAME record for your website (WWW, public IP), and an MX record pointing toward your sendmail box.
0
 
bevhostCommented:
If you insist on doing this internally, (which I don't understand), you need

zone "x.x.209.IN-ADDR.ARPA" {
   type master;
   file "209.x.x";
};

This will make your DNS answer authorative for 209.x.x.z/24   Not sure where you are going to get all the correct values for z and what they should resolve to.

perhaps you could do a /32 version
zone "z.x.x.209.IN-ADDR.ARPA" {
   type master;
   file "209.x.x.z";
};

ORIGIN         z.x.x.209.IN-ADDR.ARPA.
$TTL            3600
@               SOA     ns1.(omitted).com. (omitted).(omitted).com (
                                1000000027      ; Serial
                                3600            ; Refresh
                                900             ; Retry
                                3600000         ; Expire
                                3600    )       ; Minimum
                NS      ns1.(omitted).com.
                PTR (omitted).com.


You will need to do this externally through your ISP as well.
0
 
giltjrCommented:
--> If you insist on doing this internally, (which I don't understand), you need

Some ISP's will not delegate PTR zones to customer and will not maintain entries for you in their PTR zones.  In fact some ISP will not even provide PTR zones for the addresses they own.


0
 
mikebernhardtCommented:
OK. It sounds to me like what you want is so that when your own inside servers attempt to resolve your own external IP address, they will resolve to something you control. Is that correct? If so, the way to do it follows. Note that you can't resolve wildcard addresses to a domain name, but you CAN resolve them to a single host name:

In a file called "209.x.x"
ORIGIN         x.x.209.IN-ADDR.ARPA.
$TTL            3600

@               SOA     ns1.(omitted).com. (omitted).(omitted).com (
                                100000001      ; Serial
                                3600            ; Refresh
                                900             ; Retry
                                3600000         ; Expire
                                3600    )       ; Minimum
                NS      ns1.(omitted).com.

 *     IN     PTR     www.(omitted).com.

And then in your named.conf, add to your internal view:
zone "x.x.209.IN-ADDR.ARPA" {
type master;
file "209.x.x";
};

I noticed that you ONLY have an internal view, and you are matching "any" instead of only internal clients. If you are only using this for internal resolution and no outside folks can reach it, that's fine. But if this is for outside people to then it's a really bad idea and you should create a much more limited external view.

If my assumption is wrong about what you want- for example if you want OUTSIDE mail servers to resolve all of your inside hosts to an outside address so that they will talk to you- then you need to have your ISP resolve the desired outside addresses to the host name of your choice. But this won't work if the outside mail host wants to match the forward and reverse names! If they've given you address space then that should not be a problem. Usually they resolve it to their own name only because you haven't told them what you want it to be. If they won't, find a different ISP.

You can also resolve this whole issue by setting up a mail relay with a public address (or NAT to one) and having all of your inside hosts forward outbound mail to it. Use a MX record in your forward table and a normal PTR in the reverse. Problem solved.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now