Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)?
OK, I think I understand you now. Let's take a step back for a moment - you say that the client fails to resolve IP address back to hostnames and that causes you problems? How about configuring your DNS server to provide the right PTR records? --Amos On 23 March 2015 at 19:13, Lev Olshvang l...@nyotron.com wrote: Hi Amos, Perhaps I was not clear enough. Yes, I want to prevent client from revert lookup. The client is not my application, It is part of Linux installation in some docs named DNS resolver. It is configured in /etc/nsswitch.conf and then control flow of gethostbyname() does IP lookup and reverse lookup But back to my question – I see in sniffer DNS query for type A record issued and then DNS query for PTR record ( reverse lookup) And I want to know if there is a way to configure nsswitch to prevent reverse since I already get IP ith the peer. Hope now I explained the queston more thoroughly. L. *From:* Amos Shapira [mailto:amos.shap...@gmail.com] *Sent:* Sunday, March 22, 2015 10:08 PM *To:* Lev Olshvang *Cc:* linux-il *Subject:* Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)? I'm not sure what you are trying to achieve here - PTR records and A records are completely separate entities living under different domains. Both of them should be maintained separately (there are probably tons of tools to keep them in sync if you like, but from DNS' perspective there is no relation between them). If you want to prevent reverse lookup then you should tell the client not to do this. On 22 March 2015 at 22:31, Lev Olshvang l...@nyotron.com wrote: Hi Linuxers, I am jumping on today’s DNS thread, My Linux Debian uses DNS service some Windows server. Linux resolver gets back IP address ( type A and AAA records), but fail to get back PTR record. ( I am observing DNS queries and failures with Wireshark) This cause ldap to use address instead of host name in authentication realm and fail. When I add address –hostname pairs in /etc/hosts, ldap succeeds. (it uses name in the realm claim) I did not yet find a way to change nsswitch.conf to some resolver that prevents reverse lookup, Please give me some ideas if it is possible. Lev. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: Image removed by sender.] http://au.linkedin.com/in/gliderflyer -- http://au.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
RE: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)?
Hi Amos, Perhaps I was not clear enough. Yes, I want to prevent client from revert lookup. The client is not my application, It is part of Linux installation in some docs named DNS resolver. It is configured in /etc/nsswitch.conf and then control flow of gethostbyname() does IP lookup and reverse lookup But back to my question – I see in sniffer DNS query for type A record issued and then DNS query for PTR record ( reverse lookup) And I want to know if there is a way to configure nsswitch to prevent reverse since I already get IP ith the peer. Hope now I explained the queston more thoroughly. L. From: Amos Shapira [mailto:amos.shap...@gmail.com] Sent: Sunday, March 22, 2015 10:08 PM To: Lev Olshvang Cc: linux-il Subject: Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)? I'm not sure what you are trying to achieve here - PTR records and A records are completely separate entities living under different domains. Both of them should be maintained separately (there are probably tons of tools to keep them in sync if you like, but from DNS' perspective there is no relation between them). If you want to prevent reverse lookup then you should tell the client not to do this. On 22 March 2015 at 22:31, Lev Olshvang l...@nyotron.commailto:l...@nyotron.com wrote: Hi Linuxers, I am jumping on today’s DNS thread, My Linux Debian uses DNS service some Windows server. Linux resolver gets back IP address ( type A and AAA records), but fail to get back PTR record. ( I am observing DNS queries and failures with Wireshark) This cause ldap to use address instead of host name in authentication realm and fail. When I add address –hostname pairs in /etc/hosts, ldap succeeds. (it uses name in the realm claim) I did not yet find a way to change nsswitch.conf to some resolver that prevents reverse lookup, Please give me some ideas if it is possible. Lev. ___ Linux-il mailing list Linux-il@cs.huji.ac.ilmailto:Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [Image removed by sender.]http://au.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)?
On 24 March 2015 at 01:57, Lev Olshvang l...@nyotron.com wrote: Hi Amos, I managed to persuade our sysadmin to give me permission in AD DNS server and I put there PTR record. It should be part of his job - otherwise the PTR records will keep getting out of sync with the A/ records. The question is whether it is possible to confugre nsswitch, or dnsmasq, nscd or other resolver from doing reverse lookup. Not that I'm aware - what do you expect it to do when the client asks to resolve an IP address? Aways fail? *From:* Amos Shapira [mailto:amos.shap...@gmail.com] *Sent:* Monday, March 23, 2015 12:50 PM *To:* Lev Olshvang *Cc:* linux-il *Subject:* Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)? OK, I think I understand you now. Let's take a step back for a moment - you say that the client fails to resolve IP address back to hostnames and that causes you problems? How about configuring your DNS server to provide the right PTR records? --Amos On 23 March 2015 at 19:13, Lev Olshvang l...@nyotron.com wrote: Hi Amos, Perhaps I was not clear enough. Yes, I want to prevent client from revert lookup. The client is not my application, It is part of Linux installation in some docs named DNS resolver. It is configured in /etc/nsswitch.conf and then control flow of gethostbyname() does IP lookup and reverse lookup But back to my question – I see in sniffer DNS query for type A record issued and then DNS query for PTR record ( reverse lookup) And I want to know if there is a way to configure nsswitch to prevent reverse since I already get IP ith the peer. Hope now I explained the queston more thoroughly. L. *From:* Amos Shapira [mailto:amos.shap...@gmail.com] *Sent:* Sunday, March 22, 2015 10:08 PM *To:* Lev Olshvang *Cc:* linux-il *Subject:* Re: HOW to prevent DNS resolver from going into revert lookup (record of PTR type)? I'm not sure what you are trying to achieve here - PTR records and A records are completely separate entities living under different domains. Both of them should be maintained separately (there are probably tons of tools to keep them in sync if you like, but from DNS' perspective there is no relation between them). If you want to prevent reverse lookup then you should tell the client not to do this. On 22 March 2015 at 22:31, Lev Olshvang l...@nyotron.com wrote: Hi Linuxers, I am jumping on today’s DNS thread, My Linux Debian uses DNS service some Windows server. Linux resolver gets back IP address ( type A and AAA records), but fail to get back PTR record. ( I am observing DNS queries and failures with Wireshark) This cause ldap to use address instead of host name in authentication realm and fail. When I add address –hostname pairs in /etc/hosts, ldap succeeds. (it uses name in the realm claim) I did not yet find a way to change nsswitch.conf to some resolver that prevents reverse lookup, Please give me some ideas if it is possible. Lev. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: Image removed by sender.] http://au.linkedin.com/in/gliderflyer -- [image: Image removed by sender.] http://au.linkedin.com/in/gliderflyer -- http://au.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il