Solved

Should you have a DNS reverse lookup zone for every subnet

Posted on 2011-03-02
6
8,233 Views
Last Modified: 2012-05-11
This question comes from a conversation that a few coworkers and I had. When using active directory integrated DNS should you have a reverse lookup zone created for each subnet that is in AD sites and services.

We have just acquired another company and they have many more subnets in AD sites and services than they do in their reverse lookup zones in DNS. I think there should be a reverse lookup for every subnet that is in use. I have seen some websites that say a reverse lookup is not 100% necessary.

Does anyone have any info either backing up this opinion or disputing it. I am looking for what others are doing.
0
Comment
Question by:Joseph Daly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 10

Expert Comment

by:rscottvan
ID: 35024115
You only need a reverse zone if you need to resolve names from IP Addresses.  On private networks, if DHCP or clients are registering dynamically with DNS, it can be helpful to find what device picked up what DHCP address.

If you're talking about public address space, the most common need for RDNS is for mail servers.  Many mail servers will only accept mail from servers whose RDNS records match their DNS A record.

So, if you need to find the name of a host by pinging or performing an NSLookup by IP address then you'll need the Reverse DNS zones.  If you don't have a need for that functionality, they are not required.
0
 
LVL 8

Assisted Solution

by:afthab
afthab earned 100 total points
ID: 35024198
It is not compulsory of a reverse look up entry in your DNS, I hop you are aware about the function of look up zones..

Forward look up --> Resolve IP from domain name (FQDN) using A records (You can see A records in FLZ)
Reverse look up --> Resolve Domain name from IP with the help of ptr records ( Thats why ptr records in RLZ)

Suppose you are not set reverse entry for your web site , see what will happen ?
You will not be able to open your website using the IP.

and its compulsory for some applications, mail services etc .... and if your dns is integrated with AD , it should automatically update both the zones (http://technet.microsoft.com/en-us/library/cc978010.aspx)

Absence of RLZ may create some events entry also in server



FYI :

http://www.menandmice.com/knowledgehub/dnsqa/56/
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 100 total points
ID: 35024391
I have noticed some WMI services don't work correctly when a command is run against an IP address and the reverse lookup for that address is incorrect, which leads me to believe there might be even more problems if there was no reverse lookup zone at all.  I would imagine there are probably other services that might depend on reverse lookups.

I'm not sure whether or not Windows has some other means for mapping an IP address to a host, nor do I know what the "official" best practice is, but I always have a reverse zone for each subnet.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 100 total points
ID: 35024588
You have to consider if you have any application in your environment which uses IP address to host name resolution. If so, you need reverse lookup zone for that subnet. But I don't think if it's necessary to have all reverse lookup zones for each subnet. Definitively you need forward lookup zones but if it's important to you and your environment (applications) you can create reverse lookup zones. Reverse lookup zones require more attention becuase of stale PTR records, so the bigger number of reverse zones the bigger attention required to have PTR records up-to-date :) (you need for that using Aging and Scavenging to prevent stale records).

Regards,
Krzysztof
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 100 total points
ID: 35024645
You should be design have zone records for your subnets:

Best practice
http://www.xsanity.com/article.php/20060920201633799#private

I believe there is an RFC on it as well, sorry I was not able to find it. I remember this as a few years ago at a ISP I was working at did not have the rfc1918 zone files for in.addr.arpa and due to an attack, we upstreams were getting hammered with DNS queries. Once we added the zone files, network was back to normal. We read in an RFC that we were not RFC compliant by not have zone files for the rfc1918 space.

http://en.wikipedia.org/wiki/Blackhole_server

Billy
0
 
LVL 10

Assisted Solution

by:Muzafar Momin
Muzafar Momin earned 100 total points
ID: 35024821
yes to handle DNS query smoothly
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question