Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need Help Setting Up Reverse DNS (it was authority was delegated by ISP)

Posted on 2011-02-15
13
Medium Priority
?
1,044 Views
Last Modified: 2012-05-11
We manage our own DNS in house.  Reverse DNS has been tricky however because apparently Verizon (our T1 provider) didn't delegate authority to us initially.

We just had them delegate authority to us, but we have a /29.  Because we have a /29 apparently setting up a reverse DNS zone is different.

I'm having a hell of a time figuring out how to create a reverse DNS zone for a /29 using Microsoft Windows Server 2008 DNS.  

Can someone provide a walk-thru of creating a reverse DNS zone for a /29.  
0
Comment
Question by:derrickonline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34896539

Have they told you the notation they've used to delegate?

Can you run:

nslookup -q=cname 4.3.2.1.in-addr.arpa.

Where 4.3.2.1.in-addr.arpa should be replaced with an IP within your block.

I'd expect something like:

4.3/29.2.1.in-addr.arpa

If that is the case, we need to create a zone called 3/29.2.1.in-addr.arpa. I think it'll let you in the GUI provided you force it to use a name rather than filling in the boxes for for an IP address. If it doesn't let you there we can probably do it with dnscmd instead.

Chris
0
 

Author Comment

by:derrickonline
ID: 34896563
I'm getting this:

 156.77.210.65.in-addr.arpa. 18542 IN      CNAME      156.152.77.210.65.in-addr.arpa.
0
 

Author Comment

by:derrickonline
ID: 34896622
Here's the information Verizon sent:

Hi,

Our side is now ready per below. Also, below your reverse zone is an explanation of what you need to do to setup your side:

This request has now been completed. Please be advised that it may take up to one hour for propagation to begin, and up to 8 hours for FULL Internet propagation. Please review the reverse zone print listed below:

; allocated 152-159 to
152             IN      NS      ns1.summitsolve.com.
152             IN      NS      ns2.summitsolve.com.
153             IN      CNAME   153.152.77.210.65.in-addr.arpa.
154             IN      CNAME   154.152.77.210.65.in-addr.arpa.
155             IN      CNAME   155.152.77.210.65.in-addr.arpa.
156             IN      CNAME   156.152.77.210.65.in-addr.arpa.
157             IN      CNAME   157.152.77.210.65.in-addr.arpa.
158             IN      CNAME   158.152.77.210.65.in-addr.arpa.

Setting up classless in-addr files on your nameserver is slightly different than setting up a zone for an entire CIDR: /24 (255 IPs).

Here is an example using a hypothetical subnet, 208.226.10.0/25, or, the first 128 IPs in this CIDR: /24.
 
If you have 128 IP addresses in a particular block we would make the following entries into the CIDR: /24 zonefile on 'Verizon' servers:  

10.226.208.in-addr.arpa

0       IN      NS      dns1.yourdomain.com.
0       IN      NS      dns2.yourdomain.com.
1       IN      CNAME   1.0.10.226.208.in-addr.arpa.
2       IN      CNAME   2.0.10.226.208.in-addr.arpa.
3       IN      CNAME   3.0.10.226.208.in-addr.arpa.

This points all queries for the first 128 IP addresses to a zone on your nameserver called 0.10.226.208.in-addr.arpa.

The zonefile you create will look just like a normal zonefile (with PTR records etc.), only the zone file name will have a 4th octet noting the net address, or first IP in your subnet ......
(i.e. 0.10.226.208.in-addr.arpa).

Here is a sample of what your zonefile should look like:
[0.10.226.208.in-addr.arpa]

1       IN      PTR     name.yourdomain.com.
2       IN      PTR     host.yourdomain.com.
3       IN      PTR     user.yourdomain.com.

OR

1.0.10.226.208.in-addr.arpa.     IN      PTR     name.yourdomain.com.
2.0.10.226.208.in-addr.arpa.     IN      PTR     host.yourdomain.com.
3.0.10.226.208.in-addr.arpa.     IN      PTR     user.yourdomain.com.

For more info on subnetted in-addr on an NT machine you can also see the

Microsoft website's white paper:
http://support.microsoft.com/kb/174419/en-us

Windows GUI may not let you edit the named.boot file manually, so this might not apply to you.  If you are using BIND or a similar platform you

should put the following directive into your named.boot file:

primary 0.10.226.208.in-addr.arpa       db.reversefilename
BIND  named.conf would look similar to:

zone "0.10.226.208.in-addr.arpa" {
        type master;
        file "0.10.226.208";
};

For more information about Classless IN-ADDR.ARPA Delegation, please see RFC2317. http://www.faqs.org/rfcs/rfc2317.html

(please leave the ticket number in the subject field should you reply back to this email. This will allow your reply email to populate into this same ticket)


Thank you,
Verizon Technical Support
help4u@verizonbusiness.com
Toll-free: 1-800-900-0241
http://www.verizonbusiness.com/
https://enterprisecenter.verizonbusiness.com

0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 34896717
They had to use period to separate it, didn't they. Nothing like making it unnecessarily obscure.

Anyway, it's what we wanted. Lets just head to dnscmd right away. Can you run:

dnscmd /ZoneAdd 152.77.210.65.in-addr.arpa /Primary

Then refresh your view in the console. Once done, feel free to create your records, your version will have an "IP" consisting of 5 octets instead of 4. e.g.

153.152.77.210.65.in-addr.arpa.  IN PTR  someserver.domain.com.

That way we get this process when someone looks up an IP:

153.77.210.65.in-addr.arpa -> CNAME under 153.152.77.210.65.in-addr.arpa. (Verizon)
152.77.210.65.in-addr.arpa. -> NS <your server> (Verizon)
153.152.77.210.65.in-addr.arpa. -> PTR <Some Name> (You)

That's what all the CNAME business is for, it takes someone from the regular record, to your DNS server and the version with the extra octet.

Normally we see syntax like this:

152-29.77.210.65.in-addr.arpa
152/29.77.210.65.in-addr.arpa

That form classless delegation is clear rather than somewhat ambiguous as we see with the use of dot.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34896753

Depending on your network topology, don't be too surprised if you cannot resolve your own PTR records.

That is, any internal DNS service will attempt to reach your external DNS service via the delegation posted at Verizon.

You cannot simply create a forwarder in this scenario, your own server doesn't actually have answers for the real version of the PTR (4.3.2.1.in-addr.arpa), you only have the classless version and you'll only ever get that via the CNAME record hosted at Verizon.

But the impact there depends a lot on your topology so don't worry too much for now :)

Chris
0
 

Author Comment

by:derrickonline
ID: 34896786
Ok, so I have the zone created using your aforementioned command.  But when I go to create a PTR record, it shows:    65.210.77.152.

So I try to delete 152 and replace it with the octet of the IP I'm trying to create a record for, it won't let me delete.

So according to your comments there should in fact be a fifth octet, so I try to add the last octet of the IP for which I'm trying to create a record for:    65.210.77.152.156   But then I get error invalid IP?  I'm confused.
0
 

Author Comment

by:derrickonline
ID: 34896810
Regarding your comment on our internal DNS.  We actually have our internal DNS answering for our actual domain using internal IP addresses.  We're also no too worried about reverse lookups internally.

The issue is we're hosting our own mail and spam filtering, we're being rejected at some mail gateways for not having a PTR record for our mail server.  I should have just asked Verizon to set one up, but I like to control everything.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 34896827

Too much validation on Microsoft's part. Can you try:

dnscmd /RecordAdd 152.77.210.65.in-addr.arpa. 153 PTR someserver.domain.com.

I advise you include the trailing dots in the command above, it shouldn't matter, but in strict DNS terms they should be there.

Chris
0
 

Author Comment

by:derrickonline
ID: 34896830
My last comment made no sense.  I was saying our internal clients hit our internal dns server.  If they want to resolve anything on our actual domain  (-----.com), it's done using the internal IP address.  Not the external.  
0
 

Author Comment

by:derrickonline
ID: 34896873
Ahh success!  Thank you!  I guess I can't add them via the GUI.  Per your instructions I also kept the trailing dots.  I did a reverse lookup and it finally worked properly!

You've been a wonderful help!  Thank you.
0
 

Author Closing Comment

by:derrickonline
ID: 34896892
Thank you very much!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34896898

Yeah, that was the problem I was getting at.

You won't be able to tell it to use the internal IP for the PTR records as your server doesn't actually host a zone that can answer the base request.

For example, you can't run this against your public server and get an answer:

nslookup -q=ptr 153.77.210.65.in-addr.arpa TheInternalIPAddress

It's not really a big problem, just don't be entirely surprised if it doesn't test successfully inside your network after all of this.

Chris
0
 

Author Comment

by:derrickonline
ID: 34896921
Got cha.  I've been doing all my testing externally to maintain my sanity.  Internal reverse lookups are less important for us.  But thank you for the heads up.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Resolve DNS query failed errors for Exchange
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question