I got a mail server that can't send outbound because I don't have my reverse dns entries correct. Admittedly at first I knew it wasn't configured properly but from every single example I could find on the web as well as some helpful hints around here, it's still not working.
$TTL 604800
$ORIGIN 107.xxx.xxx.in-addr.arpa.
@ IN SOA ns2.XX.net. root.XX.net. (
8 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; Name servers
IN NS ns2.XX.net.
IN NS ns3.XX.net.
; PTR records
20 IN PTR mail.XX.net.
20 IN PTR ns2.XX.net.
29 IN PTR ns3.XX.net.
I can do a dig mail.XX.net and find a forward zone for mail.yup.net but when I try to do a reverse check, dig -x mail.XX.net, I get the following:
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52342
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;net.XX.mail.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
in-addr.arpa. 1725 IN SOA b.in-addr-servers.arpa. nstld.iana.org. (bunch of other numbers)
My named.conf.options file:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
recursion no; # enables resursive queries
allow-transfer { none; }; # disable zone transfers by default
allow-query { any; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
};
logging {
channel zone_xfer {
file "/etc/bind/xfer.log";
print-time yes;
print-category yes;
};
channel namedsyslogging {
file "/etc/bind/named.syslog";
print-time yes;
severity dynamic;
};
category default { namedsyslogging; default_debug; };
category xfer-in { zone_xfer; };
category xfer-out { zone_xfer; };
};
This is a part of my named.conf.local file:
zone "107.xxx.xxx.in-addr.arpa" { type master; notify no; file "/etc/bind/db.107"; };
This should be working but I can't guess what I'm missing or what needs to be tweaked. both mail and ns2 have valid forward zone entries so respectively they have reverse entries as shown, but something isn't right. I understand the NXDOMAIN response means it can't find a valid dns entry. I'm not sure if perhaps top level dns needs more time to update or if this is broken somewhere. Any ideas would be grateful?
Best Answer
It is normal to supply an IP address to
dig -x
not the name of the host.Note also that if you are using public IP addresses the ISP has to delegate authority to you to manage the PTRs yourself. Many won't do this so you have to either ask them or use whatever facilities they provide.
Whereas
returns nothing. In more detail