Re: reverse DNS resolution...
Thanks to all for their help. I was ignoring the forward DNS, and many things don't resolve reverse DNS unless there's a matching forward DNS. duh. thanks! Eric Crist On Oct 23, 2007, at 12:00 PMOct 23, 2007, Oliver Fromme wrote: Eric F Crist wrote: As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Note that the DNS tools (host, nslookup, dig) use their own resolver code, not the one from FreeBSD's libc, like all other tools. That might explain the difference. Make sure that you have configured /etc/nsswitch.conf and /etc/resolv.conf correctly. Also note that /etc/hosts overrides DNS by default. You can use tcpdump to check if a reverse lookup request is sent to the DNS server when the failure occurs, and what the reply looks like. E.g. let this command run in one terminal: # tcpdump -i tun0 -s 1500 -l -n -vvv udp port domain Add an -i option to specify the interface to listen on, if you have multiple interfaces (e.g. -i fxp0). Then run the command (w, irc client, whatever) in another terminal and watch the tcpdump output. Oh by the way, I think the addresses in IRC are resolved by the servers, not by the clients, so you would have to run the tcpdump command on the IRC server (if it's an internal one to which you can login and have root access). Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http:// www.secnetix.de/bsd PI: int f[9814],b,c=9814,g,i;long a=1e4,d,e,h; main(){for(;b=c,c-=14;i=printf(%04d,e+d/a),e=d%a) while(g=--b*2)d=h*b+a*(i?f[b]:a/5),h=d/--g,f[b]=d%g;} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote: Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! Well, your DNS needs to be authoritative for both forward and reverse. If you are trying to do this for less then a /24 block the zone files get messy quick because of the 8bit boundaries. You seem to be trying to do this for a /16. I'll bet you're missing the named.conf entries and related reverse zone files: Odds are you'll want to have zones: zone 1.30.172.in.addr.arpa { type master; file master/1.30.172.in.addr.arpa notify yes; } zone 255.30.172.in.addr.arpa { ;; or slave config since you'll have more than 1 ns type slave; file slave/255.30.172.in.addr.arpa; masters { x.y.z.a; }; } Or some larger splits of that. You're going to have give me a netmask for more help. /16 is the netmask, you already figured that one out. ;) As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Maybe there is something missing here: == named.conf == zone 30.172.IN-ADDR.ARPA { type master; file master/vpn.rev; }; == vpn.rev == $TTL 86400 @ IN SOA snowball2.secure-computing.net root.secure- computing.net ( 1 ; Serial 21600 ; Refresh 1200; Retry 1209600 ; Expire 3600; TTL ) IN NS snowball2.secure-computing.net ; Static vpn ips go here. 21.1IN PTR user1.vpn. 25.1IN PTR user2.vpn. 29.1IN PTR user3.vpn. 33.1IN PTR user4.vpn. 37.1IN PTR user5.vpn. 41.1IN PTR user6.vpn. 45.1IN PTR user7.vpn. 49.1IN PTR user8.vpn. 53.1IN PTR user9.vpn. ; Auto-generate reverse dns for our dynamic block. $ORIGIN 0.30.172.in-addr.arpa. $GENERATE 2-254 $ PTR 172-30-0-$.vpn. For what it's worth, the hosts I'm testing have snowball2 listed as their primary DNS server. Again, host 172.30.1.21 successfully returns user1.vpn, etc. Just output in w and last, as well as certain services such as UnrealIRCd don't resolve these correctly. Thanks for the help folks! - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
At 07:23 AM 10/23/2007, Eric F Crist wrote: On Oct 22, 2007, at 4:51 PMOct 22, 2007, Philip M. Gollucci wrote: Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! Well, your DNS needs to be authoritative for both forward and reverse. If you are trying to do this for less then a /24 block the zone files get messy quick because of the 8bit boundaries. You seem to be trying to do this for a /16. I'll bet you're missing the named.conf entries and related reverse zone files: Odds are you'll want to have zones: zone 1.30.172.in.addr.arpa { type master; file master/1.30.172.in.addr.arpa notify yes; } zone 255.30.172.in.addr.arpa { ;; or slave config since you'll have more than 1 ns type slave; file slave/255.30.172.in.addr.arpa; masters { x.y.z.a; }; } Or some larger splits of that. You're going to have give me a netmask for more help. /16 is the netmask, you already figured that one out. ;) As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Maybe there is something missing here: == named.conf == zone 30.172.IN-ADDR.ARPA { type master; file master/vpn.rev; }; == vpn.rev == $TTL 86400 @ IN SOA snowball2.secure-computing.net root.secure- computing.net ( 1 ; Serial 21600 ; Refresh 1200; Retry 1209600 ; Expire 3600; TTL ) IN NS snowball2.secure-computing.net ; Static vpn ips go here. 21.1IN PTR user1.vpn. 25.1IN PTR user2.vpn. 29.1IN PTR user3.vpn. 33.1IN PTR user4.vpn. 37.1IN PTR user5.vpn. 41.1IN PTR user6.vpn. 45.1IN PTR user7.vpn. 49.1IN PTR user8.vpn. 53.1IN PTR user9.vpn. ; Auto-generate reverse dns for our dynamic block. $ORIGIN 0.30.172.in-addr.arpa. $GENERATE 2-254 $ PTR 172-30-0-$.vpn. For what it's worth, the hosts I'm testing have snowball2 listed as their primary DNS server. Again, host 172.30.1.21 successfully returns user1.vpn, etc. Just output in w and last, as well as certain services such as UnrealIRCd don't resolve these correctly. Thanks for the help folks! - Eric F Crist Secure Computing Networks You may need to check your /etc/nsswitch.conf on snowball, and any other DNS servers. Also be sure you are using the same DNS lookup order for the clients. I didn't see snowball's PTR record, so I assume it is correct and all servers find it correctly as the primary DNS. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Maybe there is something missing here: Install wireshark on one of the clients -- filter on protocol dns. It will be plain as day whats happening. -- Philip M. Gollucci ([EMAIL PROTECTED]) c:323.219.4708 o:703.749.9295x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
Eric F Crist wrote: As I already stated, if I do a host 172.30.x.x, I get a the correct reverse resolution. dig works as well. What isn't working is the reverse resolution in certain command outputs, etc. Note that the DNS tools (host, nslookup, dig) use their own resolver code, not the one from FreeBSD's libc, like all other tools. That might explain the difference. Make sure that you have configured /etc/nsswitch.conf and /etc/resolv.conf correctly. Also note that /etc/hosts overrides DNS by default. You can use tcpdump to check if a reverse lookup request is sent to the DNS server when the failure occurs, and what the reply looks like. E.g. let this command run in one terminal: # tcpdump -i tun0 -s 1500 -l -n -vvv udp port domain Add an -i option to specify the interface to listen on, if you have multiple interfaces (e.g. -i fxp0). Then run the command (w, irc client, whatever) in another terminal and watch the tcpdump output. Oh by the way, I think the addresses in IRC are resolved by the servers, not by the clients, so you would have to run the tcpdump command on the IRC server (if it's an internal one to which you can login and have root access). Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd PI: int f[9814],b,c=9814,g,i;long a=1e4,d,e,h; main(){for(;b=c,c-=14;i=printf(%04d,e+d/a),e=d%a) while(g=--b*2)d=h*b+a*(i?f[b]:a/5),h=d/--g,f[b]=d%g;} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
reverse DNS resolution...
Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
At 12:02 PM 10/22/2007, Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! - Eric F Crist Secure Computing Networks Do you have the reverse zones setup correctly? Are your DNS servers the first ones you query? -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? Thanks for the pointers! Well, your DNS needs to be authoritative for both forward and reverse. If you are trying to do this for less then a /24 block the zone files get messy quick because of the 8bit boundaries. You seem to be trying to do this for a /16. I'll bet you're missing the named.conf entries and related reverse zone files: Odds are you'll want to have zones: zone 1.30.172.in.addr.arpa { type master; file master/1.30.172.in.addr.arpa notify yes; } zone 255.30.172.in.addr.arpa { ;; or slave config since you'll have more than 1 ns type slave; file slave/255.30.172.in.addr.arpa; masters { x.y.z.a; }; } Or some larger splits of that. You're going to have give me a netmask for more help. $ORIGIN . $TTL 3600 ; 1 hour 0.28.172.in-addr.arpa IN SOA ns1.rws. admin.Z. ( 2007101800 ; Serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 3600 ; expire (1 hour) 86400 ; minimum (1 day) ) NS ns1.Z. $ORIGIN 0.28.172.in-addr.arpa. 1 PTR router.Z. .. -- Philip M. Gollucci ([EMAIL PROTECTED]) c:323.219.4708 o:703.749.9295x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: reverse DNS resolution...
On Mon, Oct 22, 2007, Eric F Crist wrote: Hey folks, We're trying to get reverse DNS resolution for a block of IPs (private). We've had the 10.x network working great at the office for quite some time now, but I'm having a problem getting the 172.30.x network to work. Typing 'host ip' returns a valid result, however output from who, as well as other network services (IRC, apache) only see the IP. Is there something I'm missing? You will have to set up local DNS configuration for private addresses, including the appropriate in-addr.arpa. PTR records. The exact file format depends on what DNS software you're using, bind, djbdns, etc. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Manual, n.: A unit of documentation. There are always three or more on a given item. One is on the shelf; someone has the others. The information you need is in the others. -- Ray Simard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]