Re: Reverse delegation - refused on my DNS

[Michael Monnerie]

"Mark Andrews"  schrieb:
> You do however have a delegation mismatch.
> 
> 48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns1.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns2.zmi.at.
> ;; Received 91 bytes from 82.98.222.6#53(dns2.serico.de) in 717 ms
> 
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  power4u.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns2.zmi.at.
> 48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns1.zmi.at.
> ;; Received 161 bytes from 212.69.162.197#53(dns1.zmi.at) in 999 ms

Yes, the registered dns are dns[12], power4u is our old DNS which will be
replaced soon, but we still have it in the config until them. Shouldn't be
harmful, I hope.

Thanks for checking!

mfg zmi

(and sorry, again sending from webmail)


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse delegation - refused on my DNS

[Mark Andrews]

In message <001201ca21de$6eea36e0$4cbea4...@monnerie@is.it-management.at>, "Mi
chael Monnerie" writes:
> I'm still searching for the error.
> Also, sorry for the strangeness of the mail format, I used a webmail for =
> the last mails. This time it's Outlook, don't know if it's really any =
> better... at least not for correctly indenting old mail texts :-(
> 
> > Because you don't serve 164.69.212.in-addr.arpa and you
> > tried to access the cache. You should slave
> > 164.69.212.in-addr.arpa so you have the CNAMEs locally.
> > This will also make the above dig directed at your server
> > work as the answer will come from the zone rather than
> > the cache.
> 
> I did that now, helps :-))
> =20
> > Note: the lookups are working remotely because interative
> > resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather
> > that 57.164.69.212.in-addr.arpa as generated by the above
> > dig.
> 
> Ah, I get the point. I always tested from a remote side with
> dig @dns1.zmi.at -x 212.69.164.57
> but that didn't work as this is not an open resolver. Slaving the zone =
> as you suggested enables even these lookups to work now. I think it's =
> good, as it helps remote sites to debug DNS when hunting an error.
> 
> A plain
> dig -x 212.69.164.57
> also works, so, do I have an issue or is everything OK with my =
> configuration?
> 
> Thanks for all your help, to all three of you!
> mfg zmi
> 

All three servers are now answering which is good.

drugs:marka 10:11 {371} % dig +nssearch 48-28.164.69.212.in-addr.arpa
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
power4u.zmi.at in 2270 ms.
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
dns1.zmi.at in 1534 ms.
SOA ns4.zmi.at. hostmaster.ns4.zmi.at. 42 172800 14400 3628800 60 from server 
dns2.zmi.at in 357 ms.
drugs:marka 10:12 {372} % 

You do however have a delegation mismatch.

48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns1.zmi.at.
48-28.164.69.212.in-addr.arpa. 86400 IN NS  dns2.zmi.at.
;; Received 91 bytes from 82.98.222.6#53(dns2.serico.de) in 717 ms

48-28.164.69.212.in-addr.arpa. 3600 IN  NS  power4u.zmi.at.
48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns2.zmi.at.
48-28.164.69.212.in-addr.arpa. 3600 IN  NS  dns1.zmi.at.
;; Received 161 bytes from 212.69.162.197#53(dns1.zmi.at) in 999 ms

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Reverse delegation - refused on my DNS

[Michael Monnerie]

I'm still searching for the error.
Also, sorry for the strangeness of the mail format, I used a webmail for the 
last mails. This time it's Outlook, don't know if it's really any better... at 
least not for correctly indenting old mail texts :-(

>   Because you don't serve 164.69.212.in-addr.arpa and you
>   tried to access the cache. You should slave
>   164.69.212.in-addr.arpa so you have the CNAMEs locally.
>   This will also make the above dig directed at your server
>   work as the answer will come from the zone rather than
>   the cache.

I did that now, helps :-))
 
>   Note: the lookups are working remotely because interative
>   resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather
>   that 57.164.69.212.in-addr.arpa as generated by the above
>   dig.

Ah, I get the point. I always tested from a remote side with
dig @dns1.zmi.at -x 212.69.164.57
but that didn't work as this is not an open resolver. Slaving the zone as you 
suggested enables even these lookups to work now. I think it's good, as it 
helps remote sites to debug DNS when hunting an error.

A plain
dig -x 212.69.164.57
also works, so, do I have an issue or is everything OK with my configuration?

Thanks for all your help, to all three of you!
mfg zmi

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Reverse delegation - refused on my DNS

[Ben Bridges]

It appears that dns1.zmi.at is refusing queries for
48-28.164.69.212.in-addr.arpa:

# dig @dns1.zmi.at 48-28.164.69.212.in-addr.arpa NS +norecurs

; <<>> DiG 9.5.0-P1 <<>> @dns1.zmi.at 48-28.164.69.212.in-addr.arpa NS
+norecurs
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 11701
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;48-28.164.69.212.in-addr.arpa. IN  NS

;; Query time: 151 msec
;; SERVER: 212.69.162.197#53(212.69.162.197)
;; WHEN: Wed Aug 19 17:11:04 2009
;; MSG SIZE  rcvd: 47


# dig @dns1.zmi.at 57.48-28.164.69.212.in-addr.arpa PTR +norecurs

; <<>> DiG 9.5.0-P1 <<>> @dns1.zmi.at 57.48-28.164.69.212.in-addr.arpa
PTR +norecurs
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22169
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;57.48-28.164.69.212.in-addr.arpa. IN   PTR

;; Query time: 150 msec
;; SERVER: 212.69.162.197#53(212.69.162.197)
;; WHEN: Wed Aug 19 17:41:47 2009
;; MSG SIZE  rcvd: 50




However, it appears that dns2.zmi.at is responding properly:

# dig @dns2.zmi.at 48-28.164.69.212.in-addr.arpa NS +norecurs

; <<>> DiG 9.5.0-P1 <<>> @dns2.zmi.at 48-28.164.69.212.in-addr.arpa NS
+norecurs
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30521
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;48-28.164.69.212.in-addr.arpa. IN  NS

;; ANSWER SECTION:
48-28.164.69.212.in-addr.arpa. 60 INNS  dns1.zmi.at.
48-28.164.69.212.in-addr.arpa. 60 INNS  power4u.zmi.at.
48-28.164.69.212.in-addr.arpa. 60 INNS  dns2.zmi.at.

;; ADDITIONAL SECTION:
dns1.zmi.at.60  IN  A   212.69.162.197
dns2.zmi.at.60  IN  A   212.69.164.57
power4u.zmi.at. 60  IN  A   212.69.162.196

;; Query time: 150 msec
;; SERVER: 212.69.164.57#53(212.69.164.57)
;; WHEN: Wed Aug 19 17:12:23 2009
;; MSG SIZE  rcvd: 161


# dig @dns2.zmi.at 57.48-28.164.69.212.in-addr.arpa PTR +norecurs

; <<>> DiG 9.5.0-P1 <<>> @dns2.zmi.at 57.48-28.164.69.212.in-addr.arpa
PTR +norecurs
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58038
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;57.48-28.164.69.212.in-addr.arpa. IN   PTR

;; ANSWER SECTION:
57.48-28.164.69.212.in-addr.arpa. 60 IN PTR dns2.zmi.at.

;; AUTHORITY SECTION:
48-28.164.69.212.in-addr.arpa. 60 INNS  dns2.zmi.at.
48-28.164.69.212.in-addr.arpa. 60 INNS  power4u.zmi.at.
48-28.164.69.212.in-addr.arpa. 60 INNS  dns1.zmi.at.

;; ADDITIONAL SECTION:
dns1.zmi.at.60  IN  A   212.69.162.197
dns2.zmi.at.60  IN  A   212.69.164.57
power4u.zmi.at. 60  IN  A   212.69.162.196

;; Query time: 151 msec
;; SERVER: 212.69.164.57#53(212.69.164.57)
;; WHEN: Wed Aug 19 17:42:17 2009
;; MSG SIZE  rcvd: 178


If the named logs on dns1.zmi.at don't tell you what's going wrong (as
previously suggested), you might be able to spot the problem on
dns1.zmi.at by comparing its configuration with that of dns2.zmi.at.


> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews
> Sent: Wednesday, August 19, 2009 5:02 PM
> To: Michael Monnerie
> Cc: bind-users@lists.isc.org
> Subject: Re: Reverse delegation - refused on my DNS 
> 
> 
> In message , 
> Michael Monnerie
> writes:
> > 
> > After reading other threads I got my ISP delegate me 
> reverse DNS for 
> > our
> > subnet:
> > 
> > 
> > 212.69.164.48/28
> > 
> > 
> > But now I try to resolve it from external:
> > 
> > 
> > # dig -x 212.69.164.57 @dns1.zmi.at
> > ; <<>> DiG 9.3.4 <<>> -x 212.69.164.57 @dns1.zmi.at ; (1 
> server found) 
> > ;; global options:=C2=A0 printcmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16794 
> ;; flags: qr 
> > rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 =C2=A0
> > 
> > 
> > Why does my server refuse it?
> 
>   Because you don't serve 164.69.212.in-addr.arpa and you
>   tried to access the cache. You should slave
>   164.69.212.in-addr.arpa so you have the CNAMEs locally.
>   This will also make the above dig directed at your server
>   work as the answer will come from the zone rather than
>   the cache.
&

Re: Reverse delegation - refused on my DNS

[Mark Andrews]

In message , Michael Monnerie 
writes:
> 
> After reading other threads I got my ISP delegate me reverse DNS for our
> subnet:
> 
> 
> 212.69.164.48/28
> 
> 
> But now I try to resolve it from external:
> 
> 
> # dig -x 212.69.164.57 @dns1.zmi.at
> ; <<>> DiG 9.3.4 <<>> -x 212.69.164.57 @dns1.zmi.at
> ; (1 server found)
> ;; global options:=C2=A0 printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16794
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> =C2=A0
> 
> 
> Why does my server refuse it?

Because you don't serve 164.69.212.in-addr.arpa and you
tried to access the cache. You should slave
164.69.212.in-addr.arpa so you have the CNAMEs locally.
This will also make the above dig directed at your server
work as the answer will come from the zone rather than
the cache.

Note: the lookups are working remotely because interative
resolvers ask for 57.48-28.164.69.212.in-addr.arpa rather
that 57.164.69.212.in-addr.arpa as generated by the above
dig.

; <<>> DiG 9.3.6-P1 <<>> -x 212.69.164.57
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3560
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;57.164.69.212.in-addr.arpa.IN  PTR

;; ANSWER SECTION:
57.164.69.212.in-addr.arpa. 86379 INCNAME   
57.48-28.164.69.212.in-addr.arpa.
57.48-28.164.69.212.in-addr.arpa. 39 IN PTR dns2.zmi.at.

;; AUTHORITY SECTION:
48-28.164.69.212.in-addr.arpa. 85681 IN NS  dns1.zmi.at.
48-28.164.69.212.in-addr.arpa. 85681 IN NS  dns2.zmi.at.

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 20 07:52:32 2009
;; MSG SIZE  rcvd: 125

Mark

P.S. Complain to your MUA vendor.  Quoted printable is supposed to
be readable by people that don't support mime.  Spaces should stay
as spaces.  They should not be converted to 0xA0 because html doesn't
like multiple spaces.

> I got this:
> 
> 
> zone "48-28.164.69.212.in-addr.arpa" in {
> =C2=A0=C2=A0 type master;
> =C2=A0=C2=A0 file "master/48-28.164.69.212.in-addr.arpa";
> =C2=A0=C2=A0 allow-transfer { mydns; };
> =C2=A0=C2=A0 allow-update { none; };
> =C2=A0=C2=A0 allow-query { any; };
> };
> =C2=A0
> 
> 
> And the zone file looks like:
> 
> 
> $TTL 60 ; default positive TTL
> @=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0 SOA=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
> =A0=C2=A0=C2=A0 ns4.zmi.at.=C2=A0=C2=A0
> hostmaster.ns4.zmi.at. (
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 42=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0 ; serial
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 2d=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0 ; refresh
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 4h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0 ; retry
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
> 6w=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0 ; expiry
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 60
> )=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ; =
> negative TTL
> 
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
> =A0=C2=A0=C2=A0=C2=A0=C2=A0 power4u.zmi.at.
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
> =A0=C2=A0=C2=A0=C2=A0=C2=A0 dns1.zmi.at.
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
> =A0=C2=A0=C2=A0=C2=A0=C2=A0 dns2.zmi.at.
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0 A=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 212.69.164.60
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
> =C2=A0=C2=A0=C2=A0 MX =
> 10=C2=A0=C2=A0=C2=A0

Re: Reverse delegation - refused on my DNS

[Jeremy C. Reed]

On Wed, 19 Aug 2009, Michael Monnerie wrote:

> # dig -x 212.69.164.57 @dns1.zmi.at

57.164.69.212.in-addr.arpa is not 48-28.164.69.212.in-addr.arpa

> zone "48-28.164.69.212.in-addr.arpa" in {

Also see your named logs about the "refused".
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse delegation - refused on my DNS

[Michael Monnerie]

After reading other threads I got my ISP delegate me reverse DNS for our
subnet:


212.69.164.48/28


But now I try to resolve it from external:


# dig -x 212.69.164.57 @dns1.zmi.at
; <<>> DiG 9.3.4 <<>> -x 212.69.164.57 @dns1.zmi.at
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16794
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
 


Why does my server refuse it? I got this:


zone "48-28.164.69.212.in-addr.arpa" in {
   type master;
   file "master/48-28.164.69.212.in-addr.arpa";
   allow-transfer { mydns; };
   allow-update { none; };
   allow-query { any; };
};
 


And the zone file looks like:


$TTL 60 ; default positive TTL
@   SOA ns4.zmi.at.  
hostmaster.ns4.zmi.at. (
   
42  ; serial
   
2d  ; refresh
   
4h  ; retry
   
6w  ; expiry
    60
)    ; negative TTL

    NS  power4u.zmi.at.
    NS  dns1.zmi.at.
    NS  dns2.zmi.at.
    A   212.69.164.60
    MX 10   protegate5.zmi.at.

49  PTR gateway-p3u.zmi.at.
50  PTR reserved.zmi.at.
 


So where's the error?


mfg zmi


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users