Preface: I am not a Windows admin. I am a Linux admin.
I have a Windows 2016 server with AD DNS that handles internal DNS forward and reverse lookups.
Somewhere, somehow, some process is automatically adding PTR reverse lookup records for CNAMEs. This is breaking our Kerberos authentication for SSH between servers, as the canonical lookup of a host that has CNAMEs will return too many FQDNs and Kerberos balks.
The Kerberos SSH problem was resolved when I removed the CNAME reverse lookups.
Then, the next day, presto! all the PTR -> CNAME entries were back in AD DNS
Example, from the top (I've changed the names to be generic, but the overall setup is the same):
A pair of network operations boxes that run SMTP and Squid proxy have A records
netops01.example.com -> 10.1.2.3
netops02.example.com -> 10.4.5.6
And this same box has CNAMEs
netops
proxy
mailserver
For some reason, there are reverse lookup entries in AD DNS like so:
3.2.1.10.in-addr.arpa. 3600 IN PTR netops.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR proxy.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR mailserver.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR netops01.example.com
The last entry is the A record for this host. All the others are CNAMEs to that A record + another A record for the second host.
Neither I or the other admin that handles ops created these. Nor did we set up any scheduled task to recreate reverse lookups. Nor can I imagine a good reason to have a reverse lookup point to CNAMEs or to multiple results. (Maybe there is a good reason? I've never done this before, though)
So, I deleted all the reverse lookups except the A record one. Kerberos SSH works!
Next day, the records all returned.
I'm not even sure how on Windows to troubleshoot (thus my preface at the top)
- How can I find in the Windows logs what performed this action?
- Is there something about Windows DNS that would automatically do this? (Create PTRs for CNAMEs)
- Is there a way to turn that off?
- Anything else I'm missing?
Best Answer
Answering Myself
I found what I was missing. Two things:
These were not, in fact, CNAMEs. They were A records with multiple hosts listed for the purpose of load balancing.
Since they were A-records, they did have a checkbox along the lines of "automatically create related PTR record"
I unchecked that for these records. That didn't actually seem to fix the problem described here: the PTR records are still being rebuilt each morning.
However, that's not the solution I was looking for, anyway. The underlying problem was that Kerberos wasn't working. Well, that was easy to resolve by adding this "rdns" setting to /etc/krb5.conf
[libdefaults]
rdns = false