Re: reverse DNS resolution...
Thanks to all for their help. I was ignoring the forward DNS, and
many things don't resolve reverse DNS unless there's a matching
forward DNS.
duh.
thanks!
Eric Crist
On Oct 23, 2007, at 12:00 PMOct 23, 2007, Oliver Fromme wrote:
Eric F Crist wrote:
As I already stated, if I do a host 172.30.x.x, I get a the correct
reverse resolution. dig works as well. What isn't working is the
reverse resolution in certain command outputs, etc.
Note that the DNS tools (host, nslookup, dig) use their
own resolver code, not the one from FreeBSD's libc, like
all other tools. That might explain the difference.
Make sure that you have configured /etc/nsswitch.conf
and /etc/resolv.conf correctly. Also note that /etc/hosts
overrides DNS by default.
You can use tcpdump to check if a reverse lookup request
is sent to the DNS server when the failure occurs, and
what the reply looks like. E.g. let this command run in
one terminal:
# tcpdump -i tun0 -s 1500 -l -n -vvv udp port domain
Add an -i option to specify the interface to listen on,
if you have multiple interfaces (e.g. -i fxp0).
Then run the command (w, irc client, whatever) in another
terminal and watch the tcpdump output. Oh by the way,
I think the addresses in IRC are resolved by the servers,
not by the clients, so you would have to run the tcpdump
command on the IRC server (if it's an internal one to
which you can login and have root access).
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing
b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,
Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister:
Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf
Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://
www.secnetix.de/bsd
PI:
int f[9814],b,c=9814,g,i;long a=1e4,d,e,h;
main(){for(;b=c,c-=14;i=printf(%04d,e+d/a),e=d%a)
while(g=--b*2)d=h*b+a*(i?f[b]:a/5),h=d/--g,f[b]=d%g;}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-
[EMAIL PROTECTED]
-
Eric F Crist
Secure Computing Networks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote:
Eric F Crist wrote:
Hey folks,
We're trying to get reverse DNS resolution for a block of IPs
(private). We've had the 10.x network working great at the office
for quite some time now, but I'm having a problem getting the
172.30.x network to work.
Typing 'host ip' returns a valid result, however output from who,
as well as other network services (IRC, apache) only see the IP. Is
there something I'm missing?
Thanks for the pointers!
Well, your DNS needs to be authoritative for both forward and reverse.
If you are trying to do this for less then a /24 block the zone files
get messy quick because of the 8bit boundaries. You seem to be trying
to do this for a /16. I'll bet you're missing the named.conf entries
and related reverse zone files:
Odds are you'll want to have zones:
zone 1.30.172.in.addr.arpa {
type master;
file master/1.30.172.in.addr.arpa
notify yes;
}
zone 255.30.172.in.addr.arpa {
;; or slave config since you'll have more than 1 ns
type slave;
file slave/255.30.172.in.addr.arpa;
masters { x.y.z.a; };
}
Or some larger splits of that.
You're going to have give me a netmask for more help.
/16 is the netmask, you already figured that one out. ;)
As I already stated, if I do a host 172.30.x.x, I get a the correct
reverse resolution. dig works as well. What isn't working is the
reverse resolution in certain command outputs, etc. Maybe there is
something missing here:
== named.conf ==
zone 30.172.IN-ADDR.ARPA {
type master;
file master/vpn.rev;
};
== vpn.rev ==
$TTL 86400
@ IN SOA snowball2.secure-computing.net root.secure-
computing.net (
1 ; Serial
21600 ; Refresh
1200; Retry
1209600 ; Expire
3600; TTL
)
IN NS snowball2.secure-computing.net
; Static vpn ips go here.
21.1IN PTR user1.vpn.
25.1IN PTR user2.vpn.
29.1IN PTR user3.vpn.
33.1IN PTR user4.vpn.
37.1IN PTR user5.vpn.
41.1IN PTR user6.vpn.
45.1IN PTR user7.vpn.
49.1IN PTR user8.vpn.
53.1IN PTR user9.vpn.
; Auto-generate reverse dns for our dynamic block.
$ORIGIN 0.30.172.in-addr.arpa.
$GENERATE 2-254 $ PTR 172-30-0-$.vpn.
For what it's worth, the hosts I'm testing have snowball2 listed as
their primary DNS server. Again, host 172.30.1.21 successfully
returns user1.vpn, etc. Just output in w and last, as well as
certain services such as UnrealIRCd don't resolve these correctly.
Thanks for the help folks!
-
Eric F Crist
Secure Computing Networks
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
At 07:23 AM 10/23/2007, Eric F Crist wrote:
On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote:
Eric F Crist wrote:
Hey folks,
We're trying to get reverse DNS resolution for a block of IPs
(private). We've had the 10.x network working great at the office
for quite some time now, but I'm having a problem getting the
172.30.x network to work.
Typing 'host ip' returns a valid result, however output from who,
as well as other network services (IRC, apache) only see the IP. Is
there something I'm missing?
Thanks for the pointers!
Well, your DNS needs to be authoritative for both forward and reverse.
If you are trying to do this for less then a /24 block the zone files
get messy quick because of the 8bit boundaries. You seem to be trying
to do this for a /16. I'll bet you're missing the named.conf entries
and related reverse zone files:
Odds are you'll want to have zones:
zone 1.30.172.in.addr.arpa {
type master;
file master/1.30.172.in.addr.arpa
notify yes;
}
zone 255.30.172.in.addr.arpa {
;; or slave config since you'll have more than 1 ns
type slave;
file slave/255.30.172.in.addr.arpa;
masters { x.y.z.a; };
}
Or some larger splits of that.
You're going to have give me a netmask for more help.
/16 is the netmask, you already figured that one out. ;)
As I already stated, if I do a host 172.30.x.x, I get a the correct
reverse resolution. dig works as well. What isn't working is the
reverse resolution in certain command outputs, etc. Maybe there is
something missing here:
== named.conf ==
zone 30.172.IN-ADDR.ARPA {
type master;
file master/vpn.rev;
};
== vpn.rev ==
$TTL 86400
@ IN SOA snowball2.secure-computing.net root.secure- computing.net (
1 ; Serial
21600 ; Refresh
1200; Retry
1209600 ; Expire
3600; TTL
)
IN NS snowball2.secure-computing.net
; Static vpn ips go here.
21.1IN PTR user1.vpn.
25.1IN PTR user2.vpn.
29.1IN PTR user3.vpn.
33.1IN PTR user4.vpn.
37.1IN PTR user5.vpn.
41.1IN PTR user6.vpn.
45.1IN PTR user7.vpn.
49.1IN PTR user8.vpn.
53.1IN PTR user9.vpn.
; Auto-generate reverse dns for our dynamic block.
$ORIGIN 0.30.172.in-addr.arpa.
$GENERATE 2-254 $ PTR 172-30-0-$.vpn.
For what it's worth, the hosts I'm testing have snowball2 listed as
their primary DNS server. Again, host 172.30.1.21 successfully
returns user1.vpn, etc. Just output in w and last, as well as
certain services such as UnrealIRCd don't resolve these correctly.
Thanks for the help folks!
-
Eric F Crist
Secure Computing Networks
You may need to check your /etc/nsswitch.conf on snowball, and any other
DNS servers. Also be sure you are using the same DNS lookup order for the
clients.
I didn't see snowball's PTR record, so I assume it is correct and all
servers find it correctly as the primary DNS.
-Derek
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Maybe there is something missing here: Install wireshark on one of the clients -- filter on protocol dns. It will be plain as day whats happening. -- Philip M. Gollucci ([EMAIL PROTECTED]) c:323.219.4708 o:703.749.9295x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
Eric F Crist wrote:
As I already stated, if I do a host 172.30.x.x, I get a the correct
reverse resolution. dig works as well. What isn't working is the
reverse resolution in certain command outputs, etc.
Note that the DNS tools (host, nslookup, dig) use their
own resolver code, not the one from FreeBSD's libc, like
all other tools. That might explain the difference.
Make sure that you have configured /etc/nsswitch.conf
and /etc/resolv.conf correctly. Also note that /etc/hosts
overrides DNS by default.
You can use tcpdump to check if a reverse lookup request
is sent to the DNS server when the failure occurs, and
what the reply looks like. E.g. let this command run in
one terminal:
# tcpdump -i tun0 -s 1500 -l -n -vvv udp port domain
Add an -i option to specify the interface to listen on,
if you have multiple interfaces (e.g. -i fxp0).
Then run the command (w, irc client, whatever) in another
terminal and watch the tcpdump output. Oh by the way,
I think the addresses in IRC are resolved by the servers,
not by the clients, so you would have to run the tcpdump
command on the IRC server (if it's an internal one to
which you can login and have root access).
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
PI:
int f[9814],b,c=9814,g,i;long a=1e4,d,e,h;
main(){for(;b=c,c-=14;i=printf(%04d,e+d/a),e=d%a)
while(g=--b*2)d=h*b+a*(i?f[b]:a/5),h=d/--g,f[b]=d%g;}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
reverse DNS resolution...
Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
At 12:02 PM 10/22/2007, Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! - Eric F Crist Secure Computing Networks Do you have the reverse zones setup correctly? Are your DNS servers the first ones you query? -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
Eric F Crist wrote:
Hey folks,
We're trying to get reverse DNS resolution for a block of IPs
(private). We've had the 10.x network working great at the office
for quite some time now, but I'm having a problem getting the
172.30.x network to work.
Typing 'host ip' returns a valid result, however output from who,
as well as other network services (IRC, apache) only see the IP. Is
there something I'm missing?
Thanks for the pointers!
Well, your DNS needs to be authoritative for both forward and reverse.
If you are trying to do this for less then a /24 block the zone files
get messy quick because of the 8bit boundaries. You seem to be trying
to do this for a /16. I'll bet you're missing the named.conf entries
and related reverse zone files:
Odds are you'll want to have zones:
zone 1.30.172.in.addr.arpa {
type master;
file master/1.30.172.in.addr.arpa
notify yes;
}
zone 255.30.172.in.addr.arpa {
;; or slave config since you'll have more than 1 ns
type slave;
file slave/255.30.172.in.addr.arpa;
masters { x.y.z.a; };
}
Or some larger splits of that.
You're going to have give me a netmask for more help.
$ORIGIN .
$TTL 3600 ; 1 hour
0.28.172.in-addr.arpa IN SOA ns1.rws. admin.Z. (
2007101800 ; Serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
3600 ; expire (1 hour)
86400 ; minimum (1 day)
)
NS ns1.Z.
$ORIGIN 0.28.172.in-addr.arpa.
1 PTR router.Z.
..
--
Philip M. Gollucci ([EMAIL PROTECTED]) c:323.219.4708 o:703.749.9295x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF
Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
On Mon, Oct 22, 2007, Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? You will have to set up local DNS configuration for private addresses, including the appropriate in-addr.arpa. PTR records. The exact file format depends on what DNS software you're using, bind, djbdns, etc. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Manual, n.: A unit of documentation. There are always three or more on a given item. One is on the shelf; someone has the others. The information you need is in the others. -- Ray Simard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
