• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9739
  • Last Modified:

Should you have a DNS reverse lookup zone for every subnet

This question comes from a conversation that a few coworkers and I had. When using active directory integrated DNS should you have a reverse lookup zone created for each subnet that is in AD sites and services.

We have just acquired another company and they have many more subnets in AD sites and services than they do in their reverse lookup zones in DNS. I think there should be a reverse lookup for every subnet that is in use. I have seen some websites that say a reverse lookup is not 100% necessary.

Does anyone have any info either backing up this opinion or disputing it. I am looking for what others are doing.
0
Joseph Daly
Asked:
Joseph Daly
5 Solutions
 
rscottvanCommented:
You only need a reverse zone if you need to resolve names from IP Addresses.  On private networks, if DHCP or clients are registering dynamically with DNS, it can be helpful to find what device picked up what DHCP address.

If you're talking about public address space, the most common need for RDNS is for mail servers.  Many mail servers will only accept mail from servers whose RDNS records match their DNS A record.

So, if you need to find the name of a host by pinging or performing an NSLookup by IP address then you'll need the Reverse DNS zones.  If you don't have a need for that functionality, they are not required.
0
 
afthabCommented:
It is not compulsory of a reverse look up entry in your DNS, I hop you are aware about the function of look up zones..

Forward look up --> Resolve IP from domain name (FQDN) using A records (You can see A records in FLZ)
Reverse look up --> Resolve Domain name from IP with the help of ptr records ( Thats why ptr records in RLZ)

Suppose you are not set reverse entry for your web site , see what will happen ?
You will not be able to open your website using the IP.

and its compulsory for some applications, mail services etc .... and if your dns is integrated with AD , it should automatically update both the zones (http://technet.microsoft.com/en-us/library/cc978010.aspx)

Absence of RLZ may create some events entry also in server



FYI :

http://www.menandmice.com/knowledgehub/dnsqa/56/
0
 
Todd GerbertIT ConsultantCommented:
I have noticed some WMI services don't work correctly when a command is run against an IP address and the reverse lookup for that address is incorrect, which leads me to believe there might be even more problems if there was no reverse lookup zone at all.  I would imagine there are probably other services that might depend on reverse lookups.

I'm not sure whether or not Windows has some other means for mapping an IP address to a host, nor do I know what the "official" best practice is, but I always have a reverse zone for each subnet.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Krzysztof PytkoActive Directory EngineerCommented:
You have to consider if you have any application in your environment which uses IP address to host name resolution. If so, you need reverse lookup zone for that subnet. But I don't think if it's necessary to have all reverse lookup zones for each subnet. Definitively you need forward lookup zones but if it's important to you and your environment (applications) you can create reverse lookup zones. Reverse lookup zones require more attention becuase of stale PTR records, so the bigger number of reverse zones the bigger attention required to have PTR records up-to-date :) (you need for that using Aging and Scavenging to prevent stale records).

Regards,
Krzysztof
0
 
rfc1180Commented:
You should be design have zone records for your subnets:

Best practice
http://www.xsanity.com/article.php/20060920201633799#private

I believe there is an RFC on it as well, sorry I was not able to find it. I remember this as a few years ago at a ISP I was working at did not have the rfc1918 zone files for in.addr.arpa and due to an attack, we upstreams were getting hammered with DNS queries. Once we added the zone files, network was back to normal. We read in an RFC that we were not RFC compliant by not have zone files for the rfc1918 space.

http://en.wikipedia.org/wiki/Blackhole_server

Billy
0
 
Muzafar MominCommented:
yes to handle DNS query smoothly
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now