Traditional DNS Howto - Page 7

The Reverse Zone File

Now programs can look up the centralsoft.org domain and all its subdomains in DNS, but now we need a reverse zone which maps IP addresses to centralsoft.org. This reverse lookup is used by many programs that will refuse to talk to you if the reverse lookup and the forward lookup (i.e. the normal lookup of centralsoft.org) do not mtach each other. For example, many email providers use reverse lookups to classify emails as spam or not spam.

Because we do not want emails originating from the centralsoft.org domain to be classified as spam, we create a reverse zone.

Therefore we have this in our named.conf file:

zone "158.253.70.in-addr.arpa" {
type master;
file "pri.158.253.70.in-addr.arpa";
};

What are the numbers in there? As you noticed, centralsoft.org is in the 70.253.158.x net. Now we take this string 70.253.158 and write it the other way round (158.253.70) and use it in the zone section we add to named.conf.

We also name our reverse zone file like this: pri.158.253.70.in-addr.arpa. We create pri.158.253.70.in-addr.arpa in the same directory as our "forward" zone file pri.centralsoft.org.

The beginning of pri.158.253.70.in-addr.arpa looks exactly like in pri.centralsoft.org:

@ IN SOA server1.centralsoft.org. root.localhost. (
2006012103; serial
28800; refresh, seconds
7200; retry, seconds
604800; expire, seconds
86400 ); minimum, seconds

;
NS server1.centralsoft.org.;
NS ns0.centralsoft.org. ;

But now, we do not create A, MX, CNAme, etc. records anymore, we only create PTR records.

PTR Records

PTR is short for pointer, and that's what it is: it points to a domain name. Let's create a PTR record for centralsoft.org:

42                 PTR    centralsoft.org.

centralsoft.org's IP address is 70.253.158.42, and we want 70.253.158.42 to point to centralsoft.org.

We create exactly one pointer for each IP address we use; the only other IP address we use is 70.253.158.45 (for ns0.centralsoft.org), so we add:

45                 PTR    ns0.centralsoft.org.

That's all. Our reverse zone file looks now like this:

@ IN SOA server1.centralsoft.org. root.localhost. (
2006012103; serial
28800; refresh, seconds
7200; retry, seconds
604800; expire, seconds
86400 ); minimum, seconds

;
NS server1.centralsoft.org.;
NS ns0.centralsoft.org. ;

42 PTR centralsoft.org.
45 PTR ns0.centralsoft.org.

Now we can test it by doing a lookup with the command line tool dig. First we look up the IP address of centralsoft.org:

# dig centralsoft.org

; <> DiG 9.2.1 <> centralsoft.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48489
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;centralsoft.org. IN A

;; ANSWER SECTION:
centralsoft.org. 86400 IN A 70.253.158.42 ;; Query time: 198 msec ;; SERVER: 81.169.163.104#53(81.169.163.104) ;; WHEN: Sat Mar 11 18:55:21 2006 ;; MSG SIZE rcvd: 49

As you see, it returns the IP address 70.253.158.42.

Now we do a reverse lookup:

# dig -x 70.253.158.42

; <> DiG 9.2.1 <> -x 70.253.158.42
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4096
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;42.158.253.70.in-addr.arpa. IN PTR

;; ANSWER SECTION:
42.158.253.70.in-addr.arpa. 5304 IN PTR centralsoft.org. ;; Query time: 2 msec ;; SERVER: 81.169.163.104#53(81.169.163.104) ;; WHEN: Sat Mar 11 18:57:54 2006 ;; MSG SIZE rcvd: 98

You see, the forward and the reverse lookup match each other!

Share this page:

26 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-03-12 15:55:03

IMO you should at least mention dynamic DNS updates, a method of editing your zones remotely from anywhere on the Internet:

http://linux.yyz.us/nsupdate/

http://linux.yyz.us/dns/ddns-server.html

From: Anonymous at: 2006-03-21 07:12:40

I don't think dynamic dns has much to do with traditional DNS configuration. It certainly deserves a Howto of its own, but I don't see it as applicable to this article.

From: Anonymous at: 2006-04-13 12:33:52

1) Restricting zonetransfers is useless. Anyone with secret data in public dns is doing something wrong anyway. Restringing zonetransfers just makes it harder to debug dns problems.

2) Make it clear that recursion should be disabled on nameservers. Never use the same dns as both nameserver and resolver. Public resolvers helps doing dns amplification DoS attacks. (http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf)

From: Anonymous at: 2006-04-14 18:35:41

Though this work looks good, it is almost all written from a BIND perspective. Some focus on using tools to troubleshoot problems would be good.

Mention of alternate DNS packages would be good, especially for running the various DNS roles (caching, authorative). BIND is especially bad running as a cache and auth from the same daemon.

Finally, the expected plug: http://www.lifewithdjbdns.org/ .

From: Anonymous at: 2006-05-20 22:30:55

I have spent a lot of time trying to learn DNS and have read A LOT of "How-to's" on the subject. This how-to is hands-down the best I have seen. Well done!

From: Anonymous at: 2011-09-13 09:52:02

i am first timer but managed to configure to run! Well done, thanks a billions!

From: at: 2007-03-11 10:50:27

Thanks for this clarification on DNS.

Just want to add that reading the logs is basic for troubleshooting and if your sec. runs on another machine (shouldn't it be...) make sure that both machines (servers) are synchronized on time (helps if both have ntp) otherwise you'll wonder why zones don't transfer.

From: Makarand at: 2010-02-14 15:47:42

This tutorial is truly outstanding. I was able to follow it and get my DNS server up and running for my local LAN in less than an hour. Excellent work, guys. Deepest gratitude !

From: Anonymous at: 2009-12-14 22:05:03

This article is actually good, even if you only want to know about how DNS works.

Thank you.

From: Son Nguyen at: 2012-07-04 10:20:37

One billion thanks to author!
This is a very very very useful article.

From: Anonymous at: 2006-03-18 12:03:01

This is a superb howto. Also reminding us again the power of Linux that is we are free to configure it down to the configuration files. Many thanks :)

From: Anonymous at: 2006-04-11 04:20:25

the best tutorial for dns i've ever seen... woulda been nice to have this 2 weeks ago...

From: Anonymous at: 2006-06-14 05:48:33

wow that's great HOWTO ,job well done ,more power keep up the good work dudes!!!

From: Anonymous at: 2008-12-20 12:42:55

Excellent !

From: sujay at: 2012-11-27 22:55:07

It's really really awesome !!!!

From: Anonymous at: 2006-04-20 17:13:39

This is indeed the best DNS tutorial I have ever read.

I would definitely say that the author did a commendable job indeed.(SPF information was the crowning jewel

Well done,

Hope to see some more articles in the same tone.

From: Anonymous at: 2006-04-21 16:05:06

A DNS server on the Internet should normally only answer queries for the domains it is authoritative for. But unless you configure it otherwise bind will pass on requests for other domains up the hierarchy. This means it can potentially be used in a Denial of Service attack against other DNS servers. You can prevent this by restricting lookup via other DNS servers only to devices you trust. To do this add another line to the options section in the form...

options {

  ...

  allow-recursion { trusted.IP.subnet; };
It will still answer queries from anywhere for domains for which it is the authoritative server, but will now only do lookups via other DNS servers for requests from the trusted subnet.

From: Anonymous at: 2006-05-15 02:11:29

This HOWTO imho puts DNS in layman terms. I truly appreciate it.

Now to tackle my own little DNS venture :D

From: Anonymous at: 2006-06-14 05:52:31

wow that's great HOWTO,

job well done,keep the good work dudes!!! more power!!

From: RChan at: 2009-04-18 18:36:38

I've been a Unix SA for over 15 years now and I never took the time to really understand how to setup a DNS server.  At the companies I've worked for, they were usually setup before my time and I just had to maintain them and update A records or add CNAMEs.  This is by far the most informative writeup in very simple terms.  I would recommend this to any SA!

From: denu at: 2008-11-18 09:40:37

...very much for this great HowTo!

From: Anonymous at: 2009-03-18 18:35:32

Thank you very much for this HOWTO.  It is really really good for a SysAdmin.

From: Anonymous at: 2009-12-18 05:22:38

Very informative HOW-TO and very simple to follow.

From: Big Tone at: 2009-10-03 20:04:45

I thought I knew a little about DNS ... until I installed Bind(9) on FreeBSD for the first time. That's when I realized I knew what DNS did and that's about it!

Thanks for this very informative tutorial that answered a LOT of questions.

From: Richard B at: 2010-03-09 17:54:15

Fantastic job.  I have had problems due to reverse dns and other things that networksolutions doesn't support in it's hosted DNS... so I've had to setup my own DNS server.  I had already completed everything on my own before finding this, but I realize now that much of what I had setup was redundant and just wrong.  It still worked, but this has me down to just 4 files in my zone records and I have more stuff setup now for SPF and the tip mentioned here for "allow-recursion" within the options section of named.conf (though I had to do research to figure out how to list my ip block since I'm on what I now know to be a "moat" type setup and I only want the ip's on that network to contact me for dns lookup.

 Another tip I cam across... add the following to the options section in named.conf:

version "Nunyabeeswax";

Replace "Nunyabeeswax" with whatever you want.  This helps fight some hacking by hiding the version number of BIND... though it's probably mainly useful for those that refuse to upgrade old name servers.

 Again, excellent writeup.  I wanted to learn more and after digging through plenty of other articles, this was the most complete and understandable.

Other notes:

/var/named/ - default location in Slackware for Zone files

everything after ; in a zone file is a comment so be descriptive.

From: ed at: 2014-05-03 07:42:26

The settings on sec.centralsoft.org are  almost the same like in pri.centralsoft.org?