[plug] dns reverse lookup
Peter Sutter
sutterp at sopac.com.au
Thu Sep 20 12:05:06 WST 2007
On Thursday 20 September 2007 09:40, Craig Foster wrote:
> > -----Original Message-----
> > From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
> > Behalf Of Adam Hewitt
> > Sent: Thursday, 20 September 2007 9:29 AM
> > To: plug at plug.org.au
> > Subject: RE: [plug] dns reverse lookup
> >
> > > -----Original Message-----
> > > From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
> > > Behalf Of Peter Sutter
> > > Sent: Thursday, 20 September 2007 9:17 AM
> > > To: plug at plug.org.au
> > > Subject: [plug] dns reverse lookup
>
> <snip>
>
> > > I rely heavily on these programs to support my customers, but in its
> > > wisdom,
> > > iinet decided not to provide reverse lookups for dynamic ip
> >
> > addresses.
> >
> > > This
> > > makes my systems unreachable for those iinet customers that have a
> > > dynamic ip
> > > addresses.
> > >
> > > Thanks
> > >
> > > Peter
> >
> > I believe it is against IANA policy to not have reverse lookups on any
> > IP's.
> > As I used to work for iiNet as a Systems Engineer I am fairly sure
>
> that
>
> > they
> > do have reverse lookups for their IP's. It's possible that it is a new
> > range
> > that's been added and not put into their database and therefore not
> > being
> > automagically added to the Bind config.
> >
> > Try calling them and ask. Or maybe the iiLurkers could reply.
> >
> > Adam.
>
> Correct. iiNet still have reverse DNS entries on dynamic IP, along the
> lines of 203-59-14-16.dyn.iinet.net.au
> Maybe the DNS server on the clients systems is running slow... How quick
> does host or nslookup work on these boxes?
>
> Craig F.
No, it has nothing to do with dns on clients. iinet has a new address range, a
B Class in 124.169.0.0 and started to dish out these addresses on Monday. A
nslookup results in
** server can't find 106.45.169.124.in-addr.arpa: NXDOMAIN
I have spoken to iinet and they blankly refuse to add reverse dns to this
address range. If you want reverse dns, you need a static IP address which
will cost more money. iinet considers reverse dns lookups as a security risk,
a view which I disagree with. I think that reverse lookup is a legal way to
do some basic authentication, a hurdle which catches most spammers and
phishers.
To be able to do a reverse lookup, you already have the clients IP address,
you know the important detail, namely that it exists, so what is the fuss
about?
_and_ http://tools.ietf.org/html/rfc1912
rfc 1912 states in section 2.1 Inconsistent, Missing, or Bad Data
Make sure your PTR and A records match. For every IP address, there
should be a matching PTR record in the in-addr.arpa domain.
Question: How is this to be interpreted? its says 'should', not 'must'.
but it also says there:
Failure to have matching PTR and A records can cause loss of Internet
services similar to not being registered in the DNS at all
The consequences of this policy are that half the services offered by the
internet will not be available for iinet users with dynamic IP addresses (if
they get an IP address in the new 124.169.0.0 range. And most of these
services are available under Linux only. Is this an intended bias?
Peter
More information about the plug
mailing list