Re: [SkullSpace-Discuss] Weird SSH log entry while connecting from Skullspace...

Thu, 13 Feb 2014 12:34:44 -0800 

Reverse DNS as Mak and Alex have said has been delegated from Voi (I did it 6-8 
months ago) to Skullspace directly at the nameserver level -- co-incidentally 
using a $GENERATE much like below. 

dig with the +trace shows this delegation top-down from . thru ns1-wp and 
ns2-wp.voinetworks.net and finally dns.skullspace.ca and dns.nepharia.org.

# dig -x 206.220.196.50 +trace

; <<>> DiG 9.8.4-P2 <<>> -x 206.220.196.50 +trace
;; global options: +cmd
.                       275501  IN      NS      a.root-servers.net.
.                       275501  IN      NS      e.root-servers.net.
.                       275501  IN      NS      g.root-servers.net.
.                       275501  IN      NS      l.root-servers.net.
.                       275501  IN      NS      m.root-servers.net.
.                       275501  IN      NS      h.root-servers.net.
.                       275501  IN      NS      j.root-servers.net.
.                       275501  IN      NS      f.root-servers.net.
.                       275501  IN      NS      k.root-servers.net.
.                       275501  IN      NS      b.root-servers.net.
.                       275501  IN      NS      i.root-servers.net.
.                       275501  IN      NS      c.root-servers.net.
.                       275501  IN      NS      d.root-servers.net.
;; Received 512 bytes from 206.220.196.254#53(206.220.196.254) in 879 ms

in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      a.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      b.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      d.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.
in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.
;; Received 421 bytes from 192.5.5.241#53(192.5.5.241) in 684 ms

206.in-addr.arpa.       86400   IN      NS      r.arin.net.
206.in-addr.arpa.       86400   IN      NS      t.arin.net.
206.in-addr.arpa.       86400   IN      NS      u.arin.net.
206.in-addr.arpa.       86400   IN      NS      v.arin.net.
206.in-addr.arpa.       86400   IN      NS      w.arin.net.
206.in-addr.arpa.       86400   IN      NS      x.arin.net.
206.in-addr.arpa.       86400   IN      NS      y.arin.net.
206.in-addr.arpa.       86400   IN      NS      z.arin.net.
;; Received 181 bytes from 199.253.183.183#53(199.253.183.183) in 93 ms

196.220.206.in-addr.arpa. 86400 IN      NS      ns-wp2.voinetworks.net.
196.220.206.in-addr.arpa. 86400 IN      NS      ns-wp1.voinetworks.net.
;; Received 102 bytes from 192.42.93.32#53(192.42.93.32) in 53 ms

50.196.220.206.in-addr.arpa. 3600 IN    NS      dns.skullspace.ca.
50.196.220.206.in-addr.arpa. 3600 IN    NS      dns.nepharia.org.
;; Received 106 bytes from 206.220.196.222#53(206.220.196.222) in 36 ms

50.196.220.206.in-addr.arpa. 60 IN      PTR     unnamed.skullspace.ca.
196.220.206.in-addr.arpa. 60    IN      NS      dns.nepharia.org.
196.220.206.in-addr.arpa. 60    IN      NS      dns.skullspace.ca.
;; Received 160 bytes from 206.220.196.53#53(206.220.196.53) in 2 ms


Not to go overly anal on the RFC's and whatnot :-) (RFC1035, RFC1912 section 
2.1) .. but hosts really should have a matching forward DNS record. Its better 
to have no PTR than to have a PTR with no matching A -- it causes loud messages 
like this in many services (ssh, smtp, etc).

If having PTRs on every IP is really important (lets be honest :-), it looks 
nice), $GENERATE in Bind can be really handy to make multiple (contiguous) 
unique PTRs and their associated matching A's.

ex:
in-addr.arpa zone(s)
$GENERATE 2-64 $ IN PTR    h$-193-220-206.skullspace.ca.

skullspace.ca zone
$GENERATE 2-64  h$-193-220-206.skullspace.ca.  IN A  206.220.193.$

-- 
Theo


On Feb 13, 2014, at 12:05 PM, Alex Weber <[email protected]> wrote:

> Oh, I thought VOI was in control of our PTR records. My bad!
> 
> On Thu, Feb 13, 2014 at 11:35:01AM -0600, Mak Kolybabi wrote:
>> On 2014-02-13 11:34, Kevin wrote:
>>> Feb 11 21:49:20 zimbra sshd[27844]: reverse mapping checking getaddrinfo 
>>> for unnamed.skullspace.ca [206.220.196.50] failed - POSSIBLE BREAK-IN 
>>> ATTEMPT!
>>> 
>>> Shouldn't there be a DNS entry for our IP addresses PTR record?
>> 
>> That is the PTR record, literally 'unnamed.skullspace.ca'.
>> Servers owners that have static IPs and ask me to set them have custom PTR 
>> records.
>> Everything else is 'unnamed'.
>> 
>> --
>> Mak Kolybabi
>> <[email protected]>
>> 
>> _______________________________________________
>> SkullSpace Discuss Mailing List
>> Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
>> Archive: https://groups.google.com/group/skullspace-discuss-archive/
> _______________________________________________
> SkullSpace Discuss Mailing List
> Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
> Archive: https://groups.google.com/group/skullspace-discuss-archive/

_______________________________________________
SkullSpace Discuss Mailing List
Help: http://www.skullspace.ca/wiki/index.php/Mailing_List#Discuss
Archive: https://groups.google.com/group/skullspace-discuss-archive/

Reply via email to