[plug] dns reverse lookup

Adrian Woodley Adrian at Diskworld.com.au
Thu Sep 20 12:23:36 WST 2007


How sure are you that a reverse lookup is required, particularly for 
ssh? I haven't ever come across it.

Adrian
iiLurker

Peter Sutter wrote:
> On Thursday 20 September 2007 09:40, Craig Foster wrote:
>>> -----Original Message-----
>>> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
>>> Behalf Of Adam Hewitt
>>> Sent: Thursday, 20 September 2007 9:29 AM
>>> To: plug at plug.org.au
>>> Subject: RE: [plug] dns reverse lookup
>>>
>>>> -----Original Message-----
>>>> From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
>>>> Behalf Of Peter Sutter
>>>> Sent: Thursday, 20 September 2007 9:17 AM
>>>> To: plug at plug.org.au
>>>> Subject: [plug] dns reverse lookup
>> <snip>
>>
>>>> I rely heavily on these programs to support my customers, but in its
>>>> wisdom,
>>>> iinet decided not to provide reverse lookups for dynamic ip
>>> addresses.
>>>
>>>> This
>>>> makes my systems unreachable for those iinet customers that have a
>>>> dynamic ip
>>>> addresses.
>>>>
>>>> Thanks
>>>>
>>>> Peter
>>> I believe it is against IANA policy to not have reverse lookups on any
>>> IP's.
>>> As I used to work for iiNet as a Systems Engineer I am fairly sure
>> that
>>
>>> they
>>> do have reverse lookups for their IP's. It's possible that it is a new
>>> range
>>> that's been added and not put into their database and therefore not
>>> being
>>> automagically added to the Bind config.
>>>
>>> Try calling them and ask. Or maybe the iiLurkers could reply.
>>>
>>> Adam.
>> Correct. iiNet still have reverse DNS entries on dynamic IP, along the
>> lines of 203-59-14-16.dyn.iinet.net.au
>> Maybe the DNS server on the clients systems is running slow... How quick
>> does host or nslookup work on these boxes?
>>
>> Craig F.
> 
> No, it has nothing to do with dns on clients. iinet has a new address range, a 
> B Class in 124.169.0.0 and started to dish out these addresses on Monday.  A 
> nslookup results in
> ** server can't find 106.45.169.124.in-addr.arpa: NXDOMAIN
> 
> I have spoken to iinet and they blankly refuse to add reverse dns to this 
> address range. If you want reverse dns, you need a static IP address which 
> will cost more money. iinet considers reverse dns lookups as a security risk, 
> a view which I disagree with. I think that reverse lookup is a legal way to 
> do some basic authentication, a hurdle which catches most spammers and 
> phishers. 
> 
> To be able to do a reverse lookup, you already have the clients IP address, 
> you know the important detail, namely that it exists, so what is the fuss 
> about?
> 
> _and_ http://tools.ietf.org/html/rfc1912
> 
> rfc 1912 states in section 2.1 Inconsistent, Missing, or Bad Data
> 
>   Make sure your PTR and A records match.  For every IP address, there
>   should be a matching PTR record in the in-addr.arpa domain.
> 
> Question: How is this to be interpreted? its says 'should', not 'must'.
> 
> but it also says there:
>    Failure to have matching PTR and A records can cause loss of Internet
>    services similar to not being registered in the DNS at all
> 
> The consequences of this policy are that half the services offered by the 
> internet will not be available for iinet users with dynamic IP addresses (if 
> they get an IP address in the new 124.169.0.0 range. And most of these 
> services are available under Linux only. Is this an intended bias?
> 
> Peter
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list