Reverse DNS on Windows 2000

[achilleus]

Hi all...Thanks in advance for any help you can offer...

I am having issues getting reverse DNS to function on my Windows 2000 DNS server...I have the zones setup with both the A records and PTR records...Regular DNS look ups work great, but reverse DNS doesn't seem to work...I am also looking to make sure the firewall isnt blocking it, but I want to make sure there are no special steps in the setup of Windows 2000 DNS that I have missed...

Any ideas? AJ
SA
HS

 

[brontosaurus]

can you post a sample of what you've set up?

 

[achilleus]

I set up a forward zone called "company.com"...In that zone I put my A records...I also set up a reverse zone called x.x.x.x Subnet...Whenever I create a A type record in the forward zone, I create the associated PTR record in the reverse zone...

Any ideas?...Did I call the reverse zone the correct name?...I set them up as standard primary zones...

Thanks. AJ
SA
HS

 

[brontosaurus]

make sure the zones are listed as X.X.X.in-addr.arpa . Check the entries in these zones. You should see PTR records (typically with just a single number), NS records, and SOA records. If you have all that, what error are getting when you try to do a reverse lookup? Are you using NSLOOKUP or DIG?

 

[achilleus]

I get a request timed out when trying to resolve an IP...The names of the zones are x.x.x.x Subnet, but under properties they are listed as x.x.x.in-addr.arpa...They contain a SOA record and two NS records...

I am using NSLOOKUP...

I have been looking at the firewall (CheckPoint NG) and it is allowing DNS requests through on 53...So that doesn't seem to be the issue... AJ
SA
HS

 

[brontosaurus]

They contain an SOA and NS records, but are there any PTR records?

 

[achilleus]

Yep...It has the PTR records for all of the A records on the forward zone...

I have multiple reverse zones setup for different IP's...Could that be a problem; having more than one reverse lookup zone?... AJ
SA
HS

 

[brontosaurus]

You should have a Reverse zone for every subnet that you're authoritative for. Do you use more than one subnet? If so, and along those lines, are you using classless subnetting to gain more addresses?

 

[achilleus]

Ah...Well, as an example, our website is hosted elsewhere...So the IP for that is different...The

http://www address

is in my forward zone and I created another reverse zone for that IP range...But I only have one forward zone and about 3 reverse zones...

I am not using classless subnetting... AJ
SA
HS

 

[brontosaurus]

that number of zones is OK. You can have one forward zone for your internal domain, and if that domain consists of machines on 10 different subnets, you'd need a reverse zone for each of those subnets. Now, you say you have 3 zones. So, if you're only using one subnet internally (I'm assuming here of course), let's say 192.168.0.0 thru 192.168.0.255 (class C), I think you should have at least 4 reverse zones. They should be:

0.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
0.168.192.in-addr.arpa (substitute your actual internal net)

 

[achilleus]

I really appreciate you taking the time to help me out here...Thanks brontosaurus...

I have a seperate DNS server for internal use...And then I have 2 for external...They support one zone (company.com)...And I have the 3 reverse zones for the various IPs...I dont have the 0,127, or 255.in-addr.arpa zones configured...Do I need those? AJ
SA
HS

 

[brontosaurus]

Yes. You should have those on your internal server, and they should have NS and SOA entries pointing to that same nameserver. Now, what you say is interesting. What DNS server are your clients pointing to for resolution? They should all be pointing to your internal server (and that server should be pointing to itself. Then, that internal server should forward un-resolvable requests to the external servers. Is that how you've got it?

 

[achilleus]

The internal DNS servers have the NS and SOA entries pointing to the same nameserver. Clients on the network use the internal DNS server for resolution. The internal server then uses our providers DNS servers as forwarders. AJ
SA
HS

 

[brontosaurus]

I'm going to ask a couple of dumb questions. Did you only create Reverse zones for your internal IP's, or did you include zones for IP's outside your firewall? When you run NSLOOKUP, what server does it default to?

 

[achilleus]

I created reverse zones for all of the IPs (internal, external and the other IP's that our DNS server answers for)....Internally my nslookup defaults to the internal DNS server.. AJ
SA
HS

 

[brontosaurus]

Were you delegated authority for those external IP zones? Maybe you can give me your external domain name so I can look at your records?

 

[achilleus]

I don't believe I was delegated authority for them...One is our website, which is hosted elsewhere...Maybe I just don't need the reverse zones for those...

Our domain name is handysoft.com...

Thanks again! AJ
SA
HS

 

[brontosaurus]

Well, the little bit of info I could dig up tells me this:
1) your 70.247.216.in-addr.arpa appears to be owned by Interland.Net, under the authority of namserver a.ns.interland.net. , so you don't need to have that reverse zone on your server. However, that server does not list your

http://WWW site

(IP address 169), you may want to ask them to add it.
2) As for handysoft.com, (63.137.54.28), the reverse zone 137.63.in-addr.arpa is owned by Cable and Wireless (cw.net), but they don't appear to have delegated any authority for the 54 subnet, so there's no way for internet users to resolve your IP's. Now, on your nameserver Hobbit, it resolves fine, but that's only going to help you internally.
i don't know if this helps you at all...

 

[achilleus]

That actually helps a lot...I just called my provider and they are looking into it...Sounds like they need to delegate authority for the 54 subnet to our DNS servers...

Can't believe I didn't think of that...Hopefully this will solve the issue...

Thanks again for taking the time to help! AJ
SA
HS