Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Hi Richard, your ISP have to setup up the correct Reverse-DNS for you! AT&T 's Nameservers for reverse deligation lookups: DBRU.BR.NS.ELS-GMS.ATT.NET DMTU.MT.NS.ELS-GMS.ATT.NET CBRU.BR.NS.ELS-GMS.ATT.NET CMTU.MT.NS.ELS-GMS.ATT.NET Source: http://ws.arin.net/whois/?queryinput=%2B+12.117.165.106 It is AT&T's job to do so, not yours! Bye, Michael. Jason schrieb: Richard, My connection is a T1 with a /30, just my IP and the AT&T router on the other end in my subnet... I will try to dig up the reverse lookup servers Monday night, but I'm pretty sure it'll be some AT&T server... Thank you, Jason richardvo...@gmail.com wrote: On Sat, Nov 15, 2008 at 3:59 PM, Paul Chambers wrote: Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. Well yes. But it's "controls" rather than owns, in that when there's a subassignment of a large block, that subassignment gets registered with ARIN and the end network designates a DNS server for reverse lookups. The biggest issue is that CIDR blocks aren't supported in reverse lookups particularly well, DNS is broken out by the octets of the address, so if your block is smaller than a /24 you'll need to cooperate on reverse lookups with the other networks in the /24. How big is the block in question? If it's a /24 or larger, does ARIN show that block subassigned to your organization? If yes, then make your DNS host the name server for the reverse block and set things up there. If no, have your ISP register the subassignment. If you have a small block, use dig or nslookup to find out what is the DNS server for reverse lookups in that block, and contact that group to add PTR records for your addresses. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
How are you doing the reverse lookup? `dig -x 4.5.6.7` ? I've found I needed to list the hostname as returned by reverse lookup of the public IP, as well as the hostname sent in outgoing SMTP connections, in my SPF records. Maybe a red herring, but thought I'd mention it. -- Paul Jason wrote: Paul, I don't think my upstream provider, AT&T, has delegated the reverse lookup to me because, when I do a reverse lookup from outside my network, nothing shows up in the firewall log. Also, the reverse lookup says "unable to resolve 4.5.6.7". So I think the request is just being dumped. And yes, I have my SPF records in place with my domain registrar via their name servers. Thanks, Jason Paul Chambers wrote: Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. If your ISP isn't responding to reverse lookups for your IP address at all, I'm pretty sure their configuration is broken, and it's not something you'll be able to fix/work around. Are you sure it's not resolving at all? looking at the full mail headers of your post, the first IP address from the Received: lines does reverse-resolve (to 206-169-206-62.vtc.net.) Now if you want your domain name to be returned instead of the ISP's, that will require the co-operation of your ISP, either to change the name returned in their records, or to delegate the request to you. Only if it's delegated to you, do you need to worry about answering the query using dnsmasq. I doubt your ISP would even consider delegating for less than a small block of routeable IPs (and probably not even then). Again, take this with a pinch of salt, since I'm no DNS expert. I'm sure others will correct me if I'm off-base. On a completely different tangent, you don't happen to have SPF records defined for your domain, do you? that's a possible alternate cause of the behavior you described. Paul Jason Wallace wrote: Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is "NAT"ted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Richard, My connection is a T1 with a /30, just my IP and the AT&T router on the other end in my subnet... I will try to dig up the reverse lookup servers Monday night, but I'm pretty sure it'll be some AT&T server... Thank you, Jason richardvo...@gmail.com wrote: On Sat, Nov 15, 2008 at 3:59 PM, Paul Chambers wrote: Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. Well yes. But it's "controls" rather than owns, in that when there's a subassignment of a large block, that subassignment gets registered with ARIN and the end network designates a DNS server for reverse lookups. The biggest issue is that CIDR blocks aren't supported in reverse lookups particularly well, DNS is broken out by the octets of the address, so if your block is smaller than a /24 you'll need to cooperate on reverse lookups with the other networks in the /24. How big is the block in question? If it's a /24 or larger, does ARIN show that block subassigned to your organization? If yes, then make your DNS host the name server for the reverse block and set things up there. If no, have your ISP register the subassignment. If you have a small block, use dig or nslookup to find out what is the DNS server for reverse lookups in that block, and contact that group to add PTR records for your addresses.
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Paul, I don't think my upstream provider, AT&T, has delegated the reverse lookup to me because, when I do a reverse lookup from outside my network, nothing shows up in the firewall log. Also, the reverse lookup says "unable to resolve 4.5.6.7". So I think the request is just being dumped. And yes, I have my SPF records in place with my domain registrar via their name servers. Thanks, Jason Paul Chambers wrote: Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. If your ISP isn't responding to reverse lookups for your IP address at all, I'm pretty sure their configuration is broken, and it's not something you'll be able to fix/work around. Are you sure it's not resolving at all? looking at the full mail headers of your post, the first IP address from the Received: lines does reverse-resolve (to 206-169-206-62.vtc.net.) Now if you want your domain name to be returned instead of the ISP's, that will require the co-operation of your ISP, either to change the name returned in their records, or to delegate the request to you. Only if it's delegated to you, do you need to worry about answering the query using dnsmasq. I doubt your ISP would even consider delegating for less than a small block of routeable IPs (and probably not even then). Again, take this with a pinch of salt, since I'm no DNS expert. I'm sure others will correct me if I'm off-base. On a completely different tangent, you don't happen to have SPF records defined for your domain, do you? that's a possible alternate cause of the behavior you described. Paul Jason Wallace wrote: Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is "NAT"ted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
On Sat, Nov 15, 2008 at 3:59 PM, Paul Chambers wrote: > Hmm... that's not how I understood it to work (not that I'm a DNS expert...) > > I thought reverse lookups worked their way down through the IP netblock > assignments, and it would be up to the entity that ;owns' your IP address > (i.e. your ISP) to resolve reverse lookups, or have some mechanism to > delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some > generated name like 12-34-56-78.static.ispname.com. Well yes. But it's "controls" rather than owns, in that when there's a subassignment of a large block, that subassignment gets registered with ARIN and the end network designates a DNS server for reverse lookups. The biggest issue is that CIDR blocks aren't supported in reverse lookups particularly well, DNS is broken out by the octets of the address, so if your block is smaller than a /24 you'll need to cooperate on reverse lookups with the other networks in the /24. How big is the block in question? If it's a /24 or larger, does ARIN show that block subassigned to your organization? If yes, then make your DNS host the name server for the reverse block and set things up there. If no, have your ISP register the subassignment. If you have a small block, use dig or nslookup to find out what is the DNS server for reverse lookups in that block, and contact that group to add PTR records for your addresses.
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. If your ISP isn't responding to reverse lookups for your IP address at all, I'm pretty sure their configuration is broken, and it's not something you'll be able to fix/work around. Are you sure it's not resolving at all? looking at the full mail headers of your post, the first IP address from the Received: lines does reverse-resolve (to 206-169-206-62.vtc.net.) Now if you want your domain name to be returned instead of the ISP's, that will require the co-operation of your ISP, either to change the name returned in their records, or to delegate the request to you. Only if it's delegated to you, do you need to worry about answering the query using dnsmasq. I doubt your ISP would even consider delegating for less than a small block of routeable IPs (and probably not even then). Again, take this with a pinch of salt, since I'm no DNS expert. I'm sure others will correct me if I'm off-base. On a completely different tangent, you don't happen to have SPF records defined for your domain, do you? that's a possible alternate cause of the behavior you described. Paul Jason Wallace wrote: Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is "NAT"ted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
RE: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
> 5. My domain registrar is also doing the forward DNS on their name servers. > 6. My upstream provider (ISP) is not the domain registrar. > Question 1: Will this even work? How can I tell if my NAT machine is even > receiving > the reverse dns requests? > Question 2: Assuming that my machine is interrogated for reverse DNS, how do > I inplement > it in dnsmasq in a live environment minimizing downtime. Especially > regarding that the > domain name resolves one way to my lan and another way (in reverse) to the > internet? I don't think your solution will work but it's not the right approach anyway. Your domain registrar should be providing both the forward and the reverse lookups. Your upstream provider and you shouldn't be involved in the public DNS side at all. Regards, Brad
[Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is "NAT"ted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace