named reverse lookup problems

T

tcn

Hi,

I've been scratching my head for a while now and searching high and low for an answer as of why my dns won't reverse lookup for any external addresses. All my internal addresses work fine; my zones are properly configured with dhcp updates etc etc.

Strangely,
Code: 
#host www.freebsd.org
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

www.freebsd.org is an alias for red.freebsd.org.
red.freebsd.org has address 69.147.83.34
red.freebsd.org has IPv6 address 2001:4f8:fff6::22
red.freebsd.org mail is handled by 0 .
Code: 
#dig www.freebsd.org
; <<>> DiG 9.8.1-P1 <<>> www.freebsd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35674
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 5

;; QUESTION SECTION:
;www.freebsd.com.               IN      A

;; ANSWER SECTION:
www.freebsd.com.        86400   IN      CNAME   www.freebsd.org.
www.freebsd.org.        470     IN      CNAME   red.freebsd.org.
red.freebsd.org.        3470    IN      A       69.147.83.34

;; AUTHORITY SECTION:
freebsd.org.            3468    IN      NS      ns2.isc-sns.com.
freebsd.org.            3468    IN      NS      ns3.isc-sns.info.
freebsd.org.            3468    IN      NS      ns1.isc-sns.net.

;; ADDITIONAL SECTION:
ns1.isc-sns.net.        3468    IN      A       72.52.71.1
ns1.isc-sns.net.        3468    IN      AAAA    2001:470:1a::1
ns2.isc-sns.com.        3468    IN      A       38.103.2.1
ns3.isc-sns.info.       3468    IN      A       63.243.194.1
ns3.isc-sns.info.       3468    IN      AAAA    2001:5a0:10::1

;; Query time: 132 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 11 17:24:14 2012
;; MSG SIZE  rcvd: 285

but

Code: 
#host 69.147.83.34 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host 34.83.147.69.in-addr.arpa not found: 2(SERVFAIL)
Code: 
; <<>> DiG 9.8.1-P1 <<>> 69.147.83.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38775
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;69.147.83.34.                  IN      A

;; AUTHORITY SECTION:
.                       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2012091101 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 11 17:25:06 2012
;; MSG SIZE  rcvd: 105

If I use host from my router (which relays to my ISP)
Code: 
Using domain server:
Name: 192.168.XX.XX
Address: 192.168.XX.XX#53
Aliases:

34.83.147.69.in-addr.arpa domain name pointer red.freebsd.org.

I tried to trace packets but couldn't see any relevant traffic on a reverse lookup while a forward one would generate all kind of traffic.

Configuration check program doesn't report anything wrong.


Has anyone seen this problem?


Regards,

tcn
 
SirDice, mamalos,

Thanks for your time. Here is my named.conf. Entries in the log are:

Code: 
Sep 12 20:18:17 myserv named[27105]: starting BIND 9.8.1-P1 -t /var/named -u bind
Sep 12 20:18:17 myserv named[27105]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-thr
eads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-l
ibxml2'
Sep 12 20:18:18 myserv named[27105]: zone 'mynet.net' allows updates by IP address, which is insecure
Sep 12 20:18:18 myserv named[27105]: zone '28.168.192.in-addr.arpa' allows updates by IP address, which is insecure
Sep 12 20:18:18 myserv named[27105]: command channel listening on 127.0.0.1#953
Sep 12 20:18:18 myserv named[27105]: command channel listening on ::1#953
Sep 12 20:18:18 myserv named[27105]: the working directory is not writable
Sep 12 20:18:18 myserv named[27105]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Sep 12 20:18:18 epsilon named[27105]: running

I know about the insecure updates, I thought it would quiet down denied updates from Windows clients but it does not.....

Hope you can see something because I just can't. Tried all kind of stuff to get the same result.


Regards,

tcn
 

Attachments

I had exactly this same problem and spent a good hour getting to the bottom of it.

Your named.conf is from a relatively old release.
The in-addr.arpa zone is no longer available for axfr from 192.5.5.241.
If you look in named.conf from recent FreeBSD releases you'll find that slave zone is gone and if you run the following you'll find it doesn't work:

Code: 
dig @192.5.5.241 axfr in-addr.arpa

However you'll see that you can still get the arpa. zone fine from this server.

Code: 
dig @192.5.5.241 axfr arpa

If you remove the in-addr.arpa zone from your config and restart you'll probably find reverse starts working.

Note, I believe recursion is default, so you only need a recursion option in the config if you want to turn it off.
 
usdmatt, SirDice,

The problem was effectively a polluted named.conf with a bad "in-addr.arpa" zone resolver. Removing it effectively reinstated the reverse lookup.

This obviously means that I've been lazy and didn't properly merge the named.conf file (and probably others) when upgrading to 9.0.


Thank you so much for your help!

Best regards,

tcn
 
You must log in or register to reply here.
Back
Top