Global Reverse DNS look-ups not working

binddomain-name-systemreverse-dns

I am moving from an old server to a new one and everything went well until I got to the DNS server. I cannot get the reverse look-up to work.

I cannot find any misconfiguration but I'm not an expert. rDNS locally works but from other Inet hosts it fails.

named.conf:

zone "5.253.159.in-addr.arpa" IN {

   type master;
   file "5.253.159.in-addr.arpa";
   allow-query { any; };

};

Zone config: (5.253.159.in-addr.arpa)

$TTL 86400

@ IN SOA h4u.be. root.h4u.be. (
  2012083001  ;Serial
   3600        ;Refresh
   1800        ;Retry
   604800      ;Expire
   86400       ;Minimum TTL
)

5.253.159.in-addr.arpa. IN NS ns.h4u.be.
5.253.159.in-addr.arpa. IN NS ns2.h4u.be.

123 IN PTR h4u.be.

Localhost dig result:

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65102
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;123.5.253.159.in-addr.arpa. IN PTR

;; ANSWER SECTION:
123.5.253.159.in-addr.arpa. 86400 IN PTR h4u.be.

;; AUTHORITY SECTION:
5.253.159.in-addr.arpa. 86400 IN NS ns2.h4u.be.
5.253.159.in-addr.arpa. 86400 IN NS ns.h4u.be.

;; ADDITIONAL SECTION:
ns.h4u.be. 86400 IN A 159.253.5.123
ns2.h4u.be. 86400 IN A 159.253.5.123

;; Query time: 3 msec
;; SERVER: 159.253.5.123#53(159.253.5.123)
;; WHEN: Thu Aug 30 13:11:58 2012
;; MSG SIZE rcvd: 131

Inet dig result:

;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;123.5.253.159.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
5.253.159.in-addr.arpa. 8032 IN SOA ns3.uxw.nl. ns3.uxw.nl. 0 10800 3600 >604800 3600

;; Query time: 0 msec
;; SERVER: 62.193.206.133#53(62.193.206.133)
;; WHEN: Thu Aug 30 13:12:32 2012
;; MSG SIZE rcvd: 90

Best Answer

You've set it up correctly on your server, but your server is not marked as authoritative for 123.5.253.159.in-addr.arpa. Your reverse DNS is managed by your ISP (the whole 5.253.159.in-addr.arpa zone):

; <<>> DiG 9.7.3-P3 <<>> ns 5.253.159.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;5.253.159.in-addr.arpa.        IN  NS

;; ANSWER SECTION:
5.253.159.in-addr.arpa. 86010   IN  NS  ns3.uxw.nl.
5.253.159.in-addr.arpa. 86010   IN  NS  ns4.uxw.nl.

You have 2 solutions to solve that:

ask your ISP to define the 123.5.253.159.in-addr.arpa record for you on their DNS (ns3.uxw.nl and ns4.uxw.nl),
ask your ISP to delegate the 123.5.253.159.in-addr.arpa record to your server, as per the RFC 2317, this is just a matter of defining a CNAME pointing to a new record on a new zone on your DNS (you then have to define this special zone on your DNS, your ISP will tell you how to name this new zone).

First solution is probably the quickest, but if you change your server's name in the future, you've got to ask them to change it again. Second solution is the most flexible, if your ISP is willing to support RFC 2317. If your ISP is providing you with more than a single address, reverse DNS can be delegated for all of them (the whole range) so you can be in charge. I'd recommend you to ask for that.

This similar question is worth reading.

Trivia: a few years ago (5, or 10 years back), some people were advocating against RFC-2317, because some DNS clients couldn't handle the reverse queries well. However, I don't think that is relevant anymore, RFC-2317 exists for about 15 years now.

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Wildcard DNS with BIND

Your origin for the zone is . per your configuration. You are creating records for ns1. and ns2. instead of ns1.example.com. and ns2.example.com. Since ns1.example.com and ns2.example.com aren't defined, they are matched by the wildcard.

EDIT: here's an edit of your config and zone:

zone "example.com." {
        type master;
        file "ext.zone";
};

ext.zone:

$TTL    3600
@       IN      SOA     ns1 root (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry
                         3600         ; Expire
                         300 )        ; Negative Cache TTL


        IN      NS      ns1
        IN      NS      ns2
        IN      A       192.0.2.6


ns1     IN      A       192.0.2.4
ns2     IN      A       192.0.2.5

*      IN      A       192.0.2.6

Everything in the zone is relative to the zone name in the named configuration, so adding a second zone just points to the same file:

zone "example.net." {
    type master;
    file "ext.zone";
};