Should you have a DNS reverse lookup zone for every subnet

This question comes from a conversation that a few coworkers and I had. When using active directory integrated DNS should you have a reverse lookup zone created for each subnet that is in AD sites and services.

We have just acquired another company and they have many more subnets in AD sites and services than they do in their reverse lookup zones in DNS. I think there should be a reverse lookup for every subnet that is in use. I have seen some websites that say a reverse lookup is not 100% necessary.

Does anyone have any info either backing up this opinion or disputing it. I am looking for what others are doing.
LVL 35
Joseph DalyAsked:
Who is Participating?
 
rfc1180Connect With a Mentor Commented:
You should be design have zone records for your subnets:

Best practice
http://www.xsanity.com/article.php/20060920201633799#private

I believe there is an RFC on it as well, sorry I was not able to find it. I remember this as a few years ago at a ISP I was working at did not have the rfc1918 zone files for in.addr.arpa and due to an attack, we upstreams were getting hammered with DNS queries. Once we added the zone files, network was back to normal. We read in an RFC that we were not RFC compliant by not have zone files for the rfc1918 space.

http://en.wikipedia.org/wiki/Blackhole_server

Billy
0
 
rscottvanCommented:
You only need a reverse zone if you need to resolve names from IP Addresses.  On private networks, if DHCP or clients are registering dynamically with DNS, it can be helpful to find what device picked up what DHCP address.

If you're talking about public address space, the most common need for RDNS is for mail servers.  Many mail servers will only accept mail from servers whose RDNS records match their DNS A record.

So, if you need to find the name of a host by pinging or performing an NSLookup by IP address then you'll need the Reverse DNS zones.  If you don't have a need for that functionality, they are not required.
0
 
afthabConnect With a Mentor Commented:
It is not compulsory of a reverse look up entry in your DNS, I hop you are aware about the function of look up zones..

Forward look up --> Resolve IP from domain name (FQDN) using A records (You can see A records in FLZ)
Reverse look up --> Resolve Domain name from IP with the help of ptr records ( Thats why ptr records in RLZ)

Suppose you are not set reverse entry for your web site , see what will happen ?
You will not be able to open your website using the IP.

and its compulsory for some applications, mail services etc .... and if your dns is integrated with AD , it should automatically update both the zones (http://technet.microsoft.com/en-us/library/cc978010.aspx)

Absence of RLZ may create some events entry also in server



FYI :

http://www.menandmice.com/knowledgehub/dnsqa/56/
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Todd GerbertConnect With a Mentor IT ConsultantCommented:
I have noticed some WMI services don't work correctly when a command is run against an IP address and the reverse lookup for that address is incorrect, which leads me to believe there might be even more problems if there was no reverse lookup zone at all.  I would imagine there are probably other services that might depend on reverse lookups.

I'm not sure whether or not Windows has some other means for mapping an IP address to a host, nor do I know what the "official" best practice is, but I always have a reverse zone for each subnet.
0
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
You have to consider if you have any application in your environment which uses IP address to host name resolution. If so, you need reverse lookup zone for that subnet. But I don't think if it's necessary to have all reverse lookup zones for each subnet. Definitively you need forward lookup zones but if it's important to you and your environment (applications) you can create reverse lookup zones. Reverse lookup zones require more attention becuase of stale PTR records, so the bigger number of reverse zones the bigger attention required to have PTR records up-to-date :) (you need for that using Aging and Scavenging to prevent stale records).

Regards,
Krzysztof
0
 
Muzafar MominConnect With a Mentor Commented:
yes to handle DNS query smoothly
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.