I'm running BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 on CentOS 6.6. The only zone is for classless reverse DNS, which has been delegated.
I'm no BIND or DNS expert, but as I understand it, classless reverse DNS requires recursion.
With recursion set to "any", the server returns correct PTR records, but also functions as an open DNS server, which is not desired. With recursion set to localhost, all queries are denied.
Recursion any:
64.19.199.56
Server: slcdns1.redacted.com
Address: 64.19.199.55
Aliases: 55.199.19.64.in-addr.arpaNon-authoritative answer:
56.199.19.64.in-addr.arpa canonical name = 56.0-127.199.19.64.in-addr.arpa56.0-127.199.19.64.in-addr.arpa name = slcdns2.redacted.com
0-127.199.19.64.in-addr.arpa nameserver = slcdns1.redacted.com
0-127.199.19.64.in-addr.arpa nameserver = slcdns2.redacted.com
slcdns1.redacted.com internet address = 64.19.199.55
slcdns2.redacted.com internet address = 64.19.199.56
Recursion localhost:
64.19.199.56
Server: slcdns1.redacted.com
Address: 64.19.199.55
Aliases: 55.199.19.64.in-addr.arpa*** slcdns1.redacted.com can't find 56.199.19.64.in-addr.arpa.: Query refused[/CODE]
Any thoughts on how I can get this to respond to queries for the reverse zone without functioning as an open server? Also, is it the correct behavior for the first query to show as non-authoritative?
named.conf:
options {
listen-on port 53 { 10.10.1.55; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity debug;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
view "outsiderev" {
empty-zones-enable no;
allow-recursion { 127.0.0.1; };
allow-query { none; };
additional-from-auth no;
additional-from-cache no;
zone "0-127.199.19.64.in-addr.arpa" {
type master;
file "/var/named/64.19.199.rev";
allow-update {
10.10.1.56;
};
allow-query {
any;
};
allow-transfer {
10.10.1.56;
};
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "redacted.com" {
type master;
file "/var/named/redacted.com.hosts";
allow-update {
10.10.1.56;
};
allow-query {
any;
};
notify yes;
allow-transfer {
10.10.1.56;
};
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/var/named/127.0.0.rev";
allow-update {
none;
};
allow-query {
none;
};
};
zone "localhost" in{
type master;
file "master.localhost";
};
};
Zone file:
$ORIGIN 0-127.199.19.64.IN-ADDR.ARPA.
@ IN SOA slcdns1.redacted.com. administrator.redacted.com. (
1379648159 10800 3600 604800 38400 )@ IN NS slcdns1.redacted.com.
@ IN NS slcdns2.redacted.com.
55 IN PTR slcdns1.redacted.com.
56 IN PTR slcdns2.redacted.com.
…
…
…
Best Answer
Your server is already behaving exactly as you want, but you're querying it not from localhost. Use 127.0.0.1 or localhost for the name server you query. If you used localhost it would say localhost, not slcdns1.redacted.com in the output.
Also, when asking DNS questions, it's mind-numbingly frustrating when the questioner tries to mask the domains and / or IPs. You can always go back later and edit out the real domain names.
No one here would automatically know that you replaced diamedic.net with redacted.com since redacted.com is an actual website and any test people here try to make will fail. Most people won't bother helping if you make it needlessly difficult.
If you insist on masking it, there are well defined domain names in RFC 2606 and IP addresses in RFC 5737 that should be used.
Edit: You do not need recursion at all for your PTR records. You need recursion if you want your name server to return results from other name servers.