Avatar of Ca Clo
Ca Clo
Flag for Australia asked on

Do I need a Reverse DNS Pointer?

I'm having trouble accessing a couple of websites and I've discovered tat we do not have a reverse
We hold our own xxx.xxx.xxx.xxx/024 range and using this we have 2x firewalls in a clustered configuration with a front facing IP of xxx.xxx.xxx.001
I have just found out that there is no Reverse DNS pointer but we do have the Nameserver of our ISP and also Google in the firewall's setting's name server location.
We've never had a problem previously and after checking through the DNS Setting on the internal servers(Svr1 - 2012 Std OS, Svr2 - 2012 Std R2 OS)  I've been able to find no errors that indicate that DNS isn't working.

If I do an nslookup of xxx.xxx.xxx.001 I get a response back of:
   ***servername.ABC.local can't find xxx.xxx.xxx.001: Non-Existent domain

This is a similar message that is seen when trying to access these couple of websites:
which is why I think it may be the reverse pointer that is now required.

Our main website is hosted by another provider but they won't host any reverse pointer settings using our Office location IP address (front facing IP of the firewall) although they do hold all of other other DNS zone records

Has anyone got any ideas as to the best way to resolve or add this pointer into the mix.
I really am not sure what to do next.

DNSNetwork Management

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon

It isn't a reverse DNS issue. The only things that care about reverse DNS that I can think of are SMTP and SSH.

Where are the web sites that you can't access? Are they behind your firewall? Where are the clients that can't access? Are they behind the same firewall?

Often times you may try to access a resource and DNS returns the public IP, but the client and resource are both behind the same firewall. In that case the client usually needs to access via the private IP of the web server, not the public IP.

This can be resolved by adding  record in internal DNS, or changing firewall behavior (usually pretty complicated).
Ca Clo

Hi Kevin

The websites are outside the firewall, they have all been whitelisted.
The clients are behind the firewall on the local network.
4 websites cannot be accessed externally from the internal network.

they just persist in presenting the NXDomain error which is why I thought of Reverse DNS.

Other Australian and International sites present perfectly so it's just a bit bizarre

David Favor

1) I'm having trouble accessing a couple of websites...

Define what "access" might mean... SSH, SFTP, IMAPS, HTTPS, RDP... access can mean many things.

 2) and I've discovered tat we do not have a reverse.

DNS PTR records are generally only used by SMTP to verify identity of sending IPs, so if "access" is any non-SMTP protocol, then likely no PTR record is required.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
David Favor

Aside: Be aware only an IP owner can set a PTR record, so this will be your hosting company, provisioning company or ISP.

So if you do require a PTR record, you must set this by some upstream provider UI or by opening a support ticket with the IP owner.

1) Can you do this yourself in your DNS? Yes!

2) Will it work? No.

You shouldn't have done

nslookup IP_nr

You should have done

nslookup hostname

then followed by

nslookup hostname

That way you'll know the difference your own DNS server returns, and what the "rest of the world" sees.
If you see it's not the same, add the entry to your own DNS server (you probably overwritten it with your own custom entries).

Ca Clo

Thanks David Favor
Yes it's just a bit weird.
We are using a MS 365 Exchange world these days and it's only the following sites we're having any issues with:
that cannot be accessed via any browser.

We own the full /24 domain range so I will try and co-ord this with the ISP.

Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Exchange has nothing to do with your browser problems.

Did you follow any of my steps yet?

David Favor

1) Follow @Kimputer's steps.

2) Answer my questions.

You still aren't clear about what "access" means.

Reading your comment carefully, likely @Kimputer's suggestions will show the problem.

As it appears you're running some internal DNS services that are munged/broken.
David Favor

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.