Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Forward lookup works, reverse does not.

Status
Not open for further replies.
Haploid

Haploid

MIS
Jul 29, 2004
8
0
0
US
Hi I am new at DNS, and I need some help.

I have a server hosting 3 websites to the public. The server is also acting as a mail server. It addition it is hosting DNS. When I do a DNS lookup of my server from the outside world (dnsstuff.com) it works just fine. When I do a reverse lookup on my IP address, it says that my server is reporting that no PTR records exist. When I open the DNS manager, clearly the correct pointer records are there. I have had some mail servers reject my mail as a result.

The public IP addresses for the server are NAT'ed through a firewall to private IP addresses. In addition, the traffic is passing through an ACL on the router. I do not believe the firewall is the problem, as it is set to allow any DNS traffic through TCP and UDP, and forward lookups work fine.

One last note, when I am on the private IP address subnet, (on a different server for example) nslookup works just fine for both the forward and reverse lookup zones. Does this suggest that it IS a firewall issue?

Thanks for the help.
 
Sort by date Sort by votes
Did your ISP delegate PTR authority for your IPs? I ran into this with Qwest a while back because when they assigned us a subnet from a Class C, they didn't delegate reverse address authority, so no matter what I had set up it wouldn't resolve PTRs.
 
Upvote 0 Downvote
Thanks for the quick response m4ilm4n, I will check with my ISP today.
 
Upvote 0 Downvote
The way I read this is you have given full passthrough rights to your internal DNS? I don't know if your company values it's data, but as a general rule you might want to keep attackers from having thier way with your internal zones. You might try setting up an EXTERNAL DNS server within a DMZ and only populate it with devices on the DMZ. You can add the e-mail server's external IP address and FQHN in the reverse lookup zone. Best case if you need Forward and Reverse lookup is to only allow external DNS to talk to internal DNS via PORT 53. The NSA published a nice document in 2001 about securing DNS, I think it still applies now. (
 
Upvote 0 Downvote
Hi ShoKashuki, thanks for the reply, my setup is almost exactly as you suggest. My external DNS server is within a DMZ. I also have an internal DNS server which works just fine. Sorry for the confusion. Thanks for the link to the article as well, lots of good information.
 
Upvote 0 Downvote
Checked with my ISP, according to the guy I talked to, they already gave us PTR authority. When I check on DNSstuff.com, here are the results I get:
-----
Asking g.root-servers.net for 110.99.198.64.in-addr.arpa PTR record:
g.root-servers.net says to go to figwort.arin.net. (zone: 64.in-addr.arpa.)
Asking figwort.arin.net. for 110.99.198.64.in-addr.arpa PTR record:
figwort.arin.net [192.42.93.32] says to go to ns1.mcleodusa.net. (zone: 198.64.in-addr.arpa.)
Asking ns1.mcleodusa.net. for 110.99.198.64.in-addr.arpa PTR record: Got CNAME referral to ns.sstransport.com. (zone 110.96/27.99.198.64.in-addr.arpa.) [from 209.253.113.2]
Asking ns.sstransport.com. for 110.96/27.99.198.64.in-addr.arpa. PTR record: Reports that no PTR records exist [from 64.198.99.110].

Answer:
No PTR records exist for 64.198.99.110. [Neg TTL=3600 seconds]

Details:
ns.sstransport.com. (an authoritative nameserver for 99.198.64.in-addr.arpa., which is in charge of the reverse DNS for 64.198.99.110)says that there are no PTR records for 64.198.99.110.
-----
The way I understand this is the query is getting to my server, but my server is responding by saying that no PTR records exist. This is not the case as clearly my DNS server has PTR records. Could my ISP still be at fault? Would I get these results if my ISP did not in fact give me PTR authority? What else could be wrong with my configuration?

Thanks
 
Upvote 0 Downvote
I figured out the problem with DNS. My ISP had a CNAME referral in their DNS records to a different zone name. The reverse requests were getting to my server, but since that name didn’t exist, my server correctly responded that there were no PTR records. I didn’t get any results after calling my ISP so I created a new zone in the reverse records and named it what the CNAME referral was. It started working right away. This also explains why internal reverse requests were working because they were not getting passed to my ISP’s DNS server.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tbright
  • Locked
  • Question
DNS reverse lookup errors: zone 1.168.192.in-addr.arpa/IN: has no NS records
Replies
1
Views
3K
tbright
tbright
Nick Ellson
  • Locked
  • Question
Bind9 with RPZ and local forwarding zones?
Replies
1
Views
3K
Nick Ellson
Nick Ellson
Wibble2004
  • Locked
  • Question
Bind9.11.20: nslookup shows different MX information on Windows and Linux workstation
Replies
0
Views
2K
Wibble2004
Wibble2004
omonoiatis9
  • Locked
  • Question
Local DNS resolving works, but external nameservers cannot resolve
Replies
2
Views
65
omonoiatis9
omonoiatis9
Kirby-TjB
  • Locked
  • Question
Extensive Login Script using KixTart, but will not run in Server 2012
Replies
0
Views
74
Kirby-TjB
Kirby-TjB

Part and Inventory Search

Sponsor

Back
Top