Skip to main content

Reverse DNS mapping delegation

More
20 years 6 months ago #4007 by nske
Hello, I need your lights in an issue, though it is about a technical problem I chose to post here since a theoritical answer could propably explain it


I maintain a dedicated server at servermatrix, in a subnet of 5 internet IPs (255.255.255.248). Recently I decided to host my domains in my own dns server. I also thought to set my reverse dns zone, and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server. Anyway, I believed it was obvious that my arpa DNS zone wouldn't affect anything since no other internet DNS server reffered to it as the authorative DNS for that C class -and to my understanding reverse dns mappings are delegated in the same hierarchical way as all the other DNS records, using the ARPA naming scheme. For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

The strange thing that happened, is that 2 days after I set up this, the reverse mapping for the whole C class was ruined!! Meaning that no reverse DNS resolving is possible for an IP at this subnet. I checked the whole route of authority for this C class, beginning from the ARPA rootservers, and the authorative servers are still the proper ones, those of servermatrix (dns1.theplanet.com & dns2.theplanet.com). BUT when I try to query them for the anwser, they simply do not reply. They will reply to ANY other question, either with an answer for the zones of their authority or will return the authorative DNS server for all the rest. But they will NOT respond AT ALL for querries of my particular class.

In example:

root@shanny:~# dig -x [CENSORED_IP2] @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP2] @ns1.theplanet.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;[CENSORED].in-addr.arpa. IN PTR

;; ANSWER SECTION:
[CENSORED].in-addr.arpa. 86400 IN PTR
[CENSORED].reverse.theplanet.com.

;; AUTHORITY SECTION:
[CENSORED].in-addr.arpa. 86400 IN NS ns1.theplanet.com.
[CENSORED].in-addr.arpa. 86400 IN NS ns2.theplanet.com.

;; ADDITIONAL SECTION:
ns1.theplanet.com. 86400 IN A 216.234.234.30
ns2.theplanet.com. 86400 IN A 12.96.160.115

;; Query time: 1056 msec
;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
;; WHEN: Sun Jun 6 21:22:35 2004
;; MSG SIZE rcvd: 161

<Here I query for an other IP that belongs to their authority zone. They answer, naturally.>


root@shanny:~# dig -x 212.54.222.230 @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x 212.54.222.230 @ns1.theplanet.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57778
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;230.222.54.212.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
212.in-addr.arpa. 7200 IN SOA ns.ripe.net. ops-212.ripe.net. 2004060680 43200 7200 1209600 7200

;; Query time: 611 msec
;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
;; WHEN: Sun Jun 6 21:27:57 2004
;; MSG SIZE rcvd: 100

<Here I query for an ip that doesn't belong to their authorative zone. Naturally, they respond with something (the authorative DNS server at this case -they propably querried the nameservers at the resolv.conf or even from the root.hints, doesn't matter- ).>

root@shanny:~# dig -x [CENSORED_IP1] @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP1] @ns1.theplanet.com
;; global options: printcmd
;; connection timed out; no servers could be reached

<Finally, here I query for my server's IP reverse mapping record, which belongs to their authorative zone. Even if it wasn't, the server SHOULD respond with SOMETHING. But you see it does not. :shock: :? :( :cry: >

At this point, I need to mention that even if from some strange occurence my own DNS server acted as the authorative, reverse dns mapping wouldn't work as I had done a small mistake that rendered the whole zone file invalid. So I have no way to know right now if the DNS servers all around would use my DNS as the authorative, or simply everything is f**ked up. I only know that authority has not been delegated to it from any other (parent authorative) DNS server, and thus that should be impossible.

Putting aside my anxity -that I have not reverse DNS service on my own, so as a result my mailserver mailfunctions and I have problems pointing an important domain to my DNS *(I'll explain that later) and that I may have caused many other people the same problems-,

I give 3 possible explanations:

1) DEVILISH COINSIDENCE, an irrelevant problem of ServerMatrix' DNS server -no comments-
2) I am totally misinformed about DNS, what happened is a natural result of my ignorance -I don't think so, though, since reverse DNS in the whole internet would collapse all the time if it was so-
3) Something out of specifications has happened, in example as a result of servermatrix hostmaster's misconfiguration, that allowed some sort of -unintended- spoofing from my part (though I see not how would that happen!).

In any case, things are screwed for me and for many other people :(

The other problem that I mentioned before, would be completely explained if it is somewhere on the DNS rfcs or the .org the .org TLD rootserver's practice that they will not delegate authority for a domain to a DNS server that has no reverse dns mapping (that would be natural since rfc DEMANDS that every host has a reverse dns). Does anyone know? -I don't feel like looking for this right now-


Sorry for the large post, but I really need to hear your thoughts, both because I am desperate to solve the problem asap and from natural curiosity. Thanks in advance! :)
More
20 years 6 months ago #4011 by Jack
NSKE –

For DNS troubleshooting I use an offsite URL that’s pretty awesome, check out:
dnsstuff.com/ and what I use dnsstuff.com/pages/expert.htm

Maybe you’ll get a different response. Good Luck.

Jack Burgess,
Firewall.cx Staff
News Editor / Forum Moderator
www.jacksjunk.com
More
20 years 6 months ago #4019 by nske
This is indeed an awesome service, it has yielded some additional information! :D

More specifically:

Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns1.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns2.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns2.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns2.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns1.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns2.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
ns1.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)

...........

Error: It looks like you've stuck me in a loop!.

Details:
I am programmed to stop after 20 DNS queries, since most reverse DNS lookups can be finished
after just 3 queries. It sounds like you're stuck in a loop.


and

Getting NS record list at g.root-servers.net... Done!
Looking up at the 7 69.in-addr.arpa. parent servers:



Server
Response
Time


chia.arin.net
NS1.THEPLANET.COM. NS2.THEPLANET.COM.
107ms


dill.arin.net
NS1.THEPLANET.COM. NS2.THEPLANET.COM.
108ms


henna.arin.net
NS1.THEPLANET.COM. NS2.THEPLANET.COM.
108ms


indigo.arin.net
NS1.THEPLANET.COM. NS2.THEPLANET.COM.
108ms


epazote.arin.net
NS1.THEPLANET.COM. NS2.THEPLANET.COM.
108ms


figwort.arin.net
Timeout



ginseng.arin.net
Timeout



Status: Records DO NOT all match: At least one DNS server (ginseng.arin.net) did not respond.


Now I tend to believe that it has to be a misconfiguration from theplanet (though perhaps I triggered the result)

Thank you :)
Time to create page: 0.121 seconds