Link to home
Start Free TrialLog in
Avatar of Ca Clo
Ca CloFlag for Australia

asked on

Do I need a Reverse DNS Pointer?

I'm having trouble accessing a couple of websites and I've discovered tat we do not have a reverse
We hold our own xxx.xxx.xxx.xxx/024 range and using this we have 2x firewalls in a clustered configuration with a front facing IP of xxx.xxx.xxx.001
I have just found out that there is no Reverse DNS pointer but we do have the Nameserver of our ISP and also Google in the firewall's setting's name server location.
We've never had a problem previously and after checking through the DNS Setting on the internal servers(Svr1 - 2012 Std OS, Svr2 - 2012 Std R2 OS)  I've been able to find no errors that indicate that DNS isn't working.

If I do an nslookup of xxx.xxx.xxx.001 I get a response back of:
   ***servername.ABC.local can't find xxx.xxx.xxx.001: Non-Existent domain

This is a similar message that is seen when trying to access these couple of websites:
   DNS_PROBE_FINISHED_NXDOMAIN
which is why I think it may be the reverse pointer that is now required.

Our main website is hosted by another provider but they won't host any reverse pointer settings using our Office location IP address (front facing IP of the firewall) although they do hold all of other other DNS zone records

Has anyone got any ideas as to the best way to resolve or add this pointer into the mix.
I really am not sure what to do next.


Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

It isn't a reverse DNS issue. The only things that care about reverse DNS that I can think of are SMTP and SSH.

Where are the web sites that you can't access? Are they behind your firewall? Where are the clients that can't access? Are they behind the same firewall?

Often times you may try to access a resource and DNS returns the public IP, but the client and resource are both behind the same firewall. In that case the client usually needs to access via the private IP of the web server, not the public IP.

This can be resolved by adding  record in internal DNS, or changing firewall behavior (usually pretty complicated).
Avatar of Ca Clo

ASKER

Hi Kevin

The websites are outside the firewall, they have all been whitelisted.
The clients are behind the firewall on the local network.
4 websites cannot be accessed externally from the internal network.
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com

they just persist in presenting the NXDomain error which is why I thought of Reverse DNS.

Other Australian and International sites present perfectly so it's just a bit bizarre






1) I'm having trouble accessing a couple of websites...

Define what "access" might mean... SSH, SFTP, IMAPS, HTTPS, RDP... access can mean many things.

 2) and I've discovered tat we do not have a reverse.

DNS PTR records are generally only used by SMTP to verify identity of sending IPs, so if "access" is any non-SMTP protocol, then likely no PTR record is required.
Aside: Be aware only an IP owner can set a PTR record, so this will be your hosting company, provisioning company or ISP.

So if you do require a PTR record, you must set this by some upstream provider UI or by opening a support ticket with the IP owner.

1) Can you do this yourself in your DNS? Yes!

2) Will it work? No.
Avatar of Kimputer
Kimputer

You shouldn't have done

nslookup IP_nr

You should have done

nslookup hostname

then followed by

server 8.8.8.8
nslookup hostname

That way you'll know the difference your own DNS server returns, and what the "rest of the world" sees.
If you see it's not the same, add the entry to your own DNS server (you probably overwritten it with your own custom entries).

Avatar of Ca Clo

ASKER

Thanks David Favor
Yes it's just a bit weird.
We are using a MS 365 Exchange world these days and it's only the following sites we're having any issues with:
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com 
that cannot be accessed via any browser.

We own the full /24 domain range so I will try and co-ord this with the ISP.



Exchange has nothing to do with your browser problems.

Did you follow any of my steps yet?

1) Follow @Kimputer's steps.

2) Answer my questions.

You still aren't clear about what "access" means.

Reading your comment carefully, likely @Kimputer's suggestions will show the problem.

As it appears you're running some internal DNS services that are munged/broken.
ASKER CERTIFIED SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial