Solved

Should you have a DNS reverse lookup zone for every subnet

Posted on 2011-03-02
6
6,367 Views
Last Modified: 2012-05-11
This question comes from a conversation that a few coworkers and I had. When using active directory integrated DNS should you have a reverse lookup zone created for each subnet that is in AD sites and services.

We have just acquired another company and they have many more subnets in AD sites and services than they do in their reverse lookup zones in DNS. I think there should be a reverse lookup for every subnet that is in use. I have seen some websites that say a reverse lookup is not 100% necessary.

Does anyone have any info either backing up this opinion or disputing it. I am looking for what others are doing.
0
Comment
Question by:Joseph Daly
6 Comments
 
LVL 10

Expert Comment

by:rscottvan
ID: 35024115
You only need a reverse zone if you need to resolve names from IP Addresses.  On private networks, if DHCP or clients are registering dynamically with DNS, it can be helpful to find what device picked up what DHCP address.

If you're talking about public address space, the most common need for RDNS is for mail servers.  Many mail servers will only accept mail from servers whose RDNS records match their DNS A record.

So, if you need to find the name of a host by pinging or performing an NSLookup by IP address then you'll need the Reverse DNS zones.  If you don't have a need for that functionality, they are not required.
0
 
LVL 8

Assisted Solution

by:afthab
afthab earned 100 total points
ID: 35024198
It is not compulsory of a reverse look up entry in your DNS, I hop you are aware about the function of look up zones..

Forward look up --> Resolve IP from domain name (FQDN) using A records (You can see A records in FLZ)
Reverse look up --> Resolve Domain name from IP with the help of ptr records ( Thats why ptr records in RLZ)

Suppose you are not set reverse entry for your web site , see what will happen ?
You will not be able to open your website using the IP.

and its compulsory for some applications, mail services etc .... and if your dns is integrated with AD , it should automatically update both the zones (http://technet.microsoft.com/en-us/library/cc978010.aspx)

Absence of RLZ may create some events entry also in server



FYI :

http://www.menandmice.com/knowledgehub/dnsqa/56/
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 100 total points
ID: 35024391
I have noticed some WMI services don't work correctly when a command is run against an IP address and the reverse lookup for that address is incorrect, which leads me to believe there might be even more problems if there was no reverse lookup zone at all.  I would imagine there are probably other services that might depend on reverse lookups.

I'm not sure whether or not Windows has some other means for mapping an IP address to a host, nor do I know what the "official" best practice is, but I always have a reverse zone for each subnet.
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
ID: 35024588
You have to consider if you have any application in your environment which uses IP address to host name resolution. If so, you need reverse lookup zone for that subnet. But I don't think if it's necessary to have all reverse lookup zones for each subnet. Definitively you need forward lookup zones but if it's important to you and your environment (applications) you can create reverse lookup zones. Reverse lookup zones require more attention becuase of stale PTR records, so the bigger number of reverse zones the bigger attention required to have PTR records up-to-date :) (you need for that using Aging and Scavenging to prevent stale records).

Regards,
Krzysztof
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 100 total points
ID: 35024645
You should be design have zone records for your subnets:

Best practice
http://www.xsanity.com/article.php/20060920201633799#private

I believe there is an RFC on it as well, sorry I was not able to find it. I remember this as a few years ago at a ISP I was working at did not have the rfc1918 zone files for in.addr.arpa and due to an attack, we upstreams were getting hammered with DNS queries. Once we added the zone files, network was back to normal. We read in an RFC that we were not RFC compliant by not have zone files for the rfc1918 space.

http://en.wikipedia.org/wiki/Blackhole_server

Billy
0
 
LVL 10

Assisted Solution

by:Muzafar Momin
Muzafar Momin earned 100 total points
ID: 35024821
yes to handle DNS query smoothly
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now