Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet

Obtaining Reverse DNS Records from Your Uplink? 19

Posted by Cliff from the the-resolve-cha-cha!-back-and-forth-and-back-and-forth dept.
aralin asks: "Recently I was trying to set up my own server at home. I've got a domain and set everything, but I've come to one problem. When I want to give my server some reasonable name, I hit into DNS record mismatch. In other words, my DNS records do not match the reverse IP records set by my provider and thus some nodes reject to communicate with different services of my machine. Now I hit a wall when I tried to ask AT&T Cable to set reverse DNS records for my IP to something reasonable. And thus I would like to ask: What are you experiences with different broadband providers and obtaining reverse IP records for your own domain names?"
This discussion has been archived. No new comments can be posted.

Obtaining Reverse DNS Records from Your Uplink? More

Obtaining Reverse DNS Records from Your Uplink?

Comments Filter:
  • Hi,

    Forward and Reverse DNS are totally different ballgames. While your upsteam provider SHOULD provide you with forward and reverse DNS they often do not. Think of it as the white pages; you get the book for free (DNS lookups) and they will list you for free (forward and reverse) -- it should be the same for the internet.

    One company,
    Speakeasy.net [speakeasy.net] is a DSL provider and they will provide a reverse PTR record for _ALL_ their static IP DSL customers. In my opinion this is good service.


    With forward DNS, you can get your DNS from anyone -- I run a service called EveryDNS and we'll do it for you for free. Feel free to give it a look at
    EveryDNS.Net [everydns.net]

    -davidu
  • Can this be done when your ISP does not have an A record (nor a PTR) pointing your way? I mean, my IP address does reverse resolve to nothing, so can I assign a CNAME record directly to an IP address (instead of the A as is being done currently)?

    Victor
  • Actually it's up to 10 statics :) (although most packages come with 4), and not only will they do reverse DNS, but for a monthly fee they'll host primary and secondary, or for a onetime fee, they'll host just secondary DNS for you.
  • Yes, that would work. But it would also prevent you from using mydomain.com in email addresses as rfc2821 requires all CNAMES are cannonicalised in email headers before delivery.

    And if mydomain.com is a CNAME you can't add any other kind of records for it (eg MX, NS, RP, etc.)

    In short, this isn't what CNAME records are for, it's a very bad idea, and don't do it.

    Also, I fail to see why anything is breaking, so long as your ISP has matching A and PTR records that associate that IP with some hostname, then it shouldn't matter what other A records you create referring to that IP as tcpwrappers (and probably most other services) works like this:

    * Find the IP address that's just connected.
    * Look up the PTR record for that address in DNS
    * For every name that's returned, look up the A records for that name.
    * If at least one of the IP addresses returned matches the on that's connecting now, allow the connection.

    (which isn't to say that convincing your ISP to delegate the PTR for your IP to you, or at the very least enter a custom record in their DNS, isn't nice... and it does look really cool on IRC... just that it shouldn't horribly break things if they don't)
  • I also use speakeasy. Have 5 ips, and run several servers - no problems. I have heard friends complain about various DSL woes, but everything has been very smooth with speakeasy. I just hope Covad doesn't die, though speakeasy has sent email assuring users that if they do, they have plans to migrate users.

  • The above should work in theory. In practice howeve, there are a *few* mail systems that will not accept mail from a machine that doesn't use a proper "HELO hostname" command that actually resolves. Not to mention the fact that most mail systems put the reverse name in the headers: "received from cx54499-b.dt1.sdca.home.com".

    --
    Adam Sherman

  • You don't have to make them match (Score:4)

    by rcw-work ( 30090 ) on Sunday June 10, 2001 @10:20AM (#163185)
    All dns verification systems such as tcp wrappers and ssh will work as long as the reverse dns hostname for your ip address resolves to the same ip.

    For example, take a random cable modem user (if you have the itch to portscan someone, PLEASE pick your own completely random ips), 24.5.2.24. This address reverses to cx54499-b.dt1.sdca.home.com, which in turn resolves to 24.5.2.24.

    That machine may host example.com and example.net... You'll still be able to ssh to example.com and example.net, send mail to them, or do whatever, even though 24.5.2.24 does not reverse to example.com or example.net.

  • DNS delegation trick (Score:3)

    by dubl-u ( 51156 ) <.ot.atop. .ta. .2107893252.> on Sunday June 10, 2001 @07:23AM (#163186)
    Given that you a) have one IP address and b) are dealing with a globe-spanning congolmerate with a history of monopoly, I'd say your odds of getting PTRs are about zero.

    But for those with more flexible providers and a larger block of IP addresses, there's a nice trick that covers this:

    RFC 2317 [faqs.org] (aka BCP 20)

    This allows the delegation of DNS PTR management even when the block doesn't start or end on octet boundaries.

  • Here's what it looks like from the upstream end (Score:3)

    by jguthrie ( 57467 ) on Monday June 11, 2001 @04:49AM (#163187)
    I've actually set up reverse-DNS for my downstream customers such that they can configure it themselves. The primary issue is that the IPv4 reverse-DNS system is oriented around naming classful addresses. The minimum you can delegate is 256 addresses and nobody (well, almost nobody) gives out 256 addresses any more. So, you've got to use this crufty (but standard!--it's in the RFC's) hack to delegate parts of each address block.

    A second problem is that DNS servers can be a major hassle and a misconfigured DNS server can cause things to stop working. An admin tends to not be real comfortable delegating domains to the typical customer because the typical customer hasn't proven he knows what he's doing. We often run both the forward and reverse DNS for our fixed-IP customers for this very reason.

    On the other hand, as someone else pointed out, it should be enough for tcpd if there's a forward DNS entry that matches each reverse-DNS entry no matter what other DNS entries also map to that address. If each address has a default name and each address maps to that default name, then everything should work even if other names map to any given address. I consider that sort of thing to be basic to good network design.

  • Just another example of SpeakEasy on top (Score:5)

    by bconway ( 63464 ) on Sunday June 10, 2001 @09:01AM (#163188) Homepage
    I've repeatedly advocated SpeakEasy.net [speakeasy.net] as a DSL company that are on top of things and cater to those who know what they want out of a DSL service. They offer up to 4 static IPs on a residential connection, block no ports, encourage running servers, and have a request to set reverse DNS lookups on their tech support email page. I think that about says it all. =)
  • ChoiceOne [choiceonecom.com] did this for me. They're a telco/DSL provider in the Northeast and Midwest, and so far they've been pretty good to work with, and cheaper than the competition.
  • My only real suggestion if you really want reverse DNS is to go with a small ISP where you know a couple of the admins. I used to be with a company called inficad, i paid a $20 one time fee for the static IP (i was on dialup) and a friend of mine there did my forward and reverse DNS for me, it was really quite nice. Other than that you'll probably have to pay for the reverse, though I've heard if you get Cox@Work they give you full control over your IP and you can setup your own forward and reverse. Thats another thing a small ISP, where you know people, can do for you.
  • No. By definition, a CNAME points to another hostname. Much like, by definition, a chocolate bar is primarily made of chocolate.
  • even when i was with a small 56k isp, with a small customer base where they new me buy my first name, they wouldnt do it.. recently i changed to cable.. and they wouldnt do it.. to be quite honest, even in your AUP if you are allowed to run 'servers' on your end, they arent going to put themselves out by changing their settings for you.. costing them time (and probably money since there will be more bandwidth comming your way).. but on the other hand, if you are paying for a business acount (eg you pay per meg, have a static ip etc) it shouldnt be too hard.
  • At the prices they charge, I sure damn hope they permit servers. Up here in Canada we may very well have shitty support, but we do have great speed for half the price. I get a steady 2.8 mbit down (but only 128kbit up - ick), for what equates to about 22 american dollars. Compared to that, Speakeasy seems nice but pricey compared to our commercial offerings up here.

  • CNAME records (Score:3)

    by dkemist ( 199970 ) on Sunday June 10, 2001 @04:49AM (#163194)
    Are you just defining DNS A records for the IP address your ISP has given you? If that's the case, then the forward and reverse lookups wouldn't match. What you probably want to do is define a CNAME record for the domain name you want to the domain name they give you. i.e.
    ISP DNS has:
    ISPassignedHostname.isp.net. IN A 64.28.150.67
    and
    67.150.28.64. IN PTR ISPassignedHostname.isp.net.

    You then add to your DNS:
    mydomain.com IN CNAME ISPassignedHostname.isp.net.

    When people try to hit your domain, the lookup will show the canonical name as the one assigned by the ISP. That's the one that reverse lookup checks will do. The CNAME is just letting you assign a handy alias to it.
  • When I want to give my server some reasonable name, I hit into DNS record mismatch. In other words, my DNS records do not match the reverse IP records set by my provider and thus some nodes reject to communicate with different services of my machine.

    The only thing that matters (and only occasionally) is that it has a reverse DNS entry that matches some forward DNS entry. It doesn't have to match whatever additional name(s) you gave it. And to the best of my knowledge, AT&T cable customers are assigned IP numbers with matching forward and reverse DNS.

    I'm thinking that you're just sad to learn that your machine doesn't show up in logs and wtmp with the name you want. As for that - which is unimportant at best - you're out of luck unless you go with a less mass-market provider. Others have suggested Speakeasy, and I'd agree.

  • I'm not surprised to see your telco misbehaving. I have no experience dealing with them, other than as a unsatisfied end-user, but then again their behavior reminds me of ICANN: customers are expected to take whatever bullshit the telco shoves at them, the same way ICANN board members are expected to be nothing more than rubber stamps for what influential industry members want. Doesn't the Internet start to suck, as far as end-user experience is concerned? How about a nice commune, somewhere miles away from the nearest telco and cop?

  • You mentioned AT&T is your ISP, if it's ATT@home, this will help :)

    @home uses DHCP, and the IP can and will change about once a week. However! Your hostmask will NOT change, it will remain static, and it will always point to your current IP. For example, rcw-work mentioned his hostmask was cx54499-b.dt1.sdca.home.com. No matter what his IP address changes to, the hostmask will not change, but will resolve to the right IP address :-)

    Hope this helps!
    -Henry

Slashdot Top Deals

Friction is a drag.

Close