On 2008-05-07, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote:
> here is my trouble, if i use nslookup from a computer that is set to
> use my name server(ns.wiscdns.com)
> my output is as follows:
>
> Sam# nslookup 12.192.128.135
> Server: 12.192.128.131
> Address: 12.192.128.131#53
>
> 135.128.192.12.in-addr.arpa name = pop3.DigitalDataWeb.Com.
If I query your server directly I get that too.
> however if I change my name server to a local ISP (that I do not use
> for service)
>
> my output is as follows
>
> Sam$ nslookup 12.192.128.135
> Server: 209.103.196.2
> Address: 209.103.196.2#53
>
> ** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN
Your ISP has not delegated or CNAMEd 135.128.192.12.in-addr.arpa
to direct people doing the lookups to contact your server. Using
dig, compare a query for 135.128.192.12.in-addr.arpa ANY with
a query for 1.128.192.12.in-addr.arpa ANY.
Since you are in a subnet that is not on an exact byte boundary
(/8 /16 /24) the normal way is to ask your ISP to configure CNAMEs,
with your /25 you will probably get CNAMEs like this:
128.128/25.128.192.12.in-addr.arpa.
129.128/25.128.192.12.in-addr.arpa.
130.128/25.128.192.12.in-addr.arpa.
131.128/25.128.192.12.in-addr.arpa.
132.128/25.128.192.12.in-addr.arpa.
..you get the picture..
and you will then have to configure named to answer authoritatively
for 128/25.128.192.12.in-addr.arpa, and set your PTR up in that zone
instead, like:
135.128/25.128.192.12.in-addr.arpa. CNAME pop3.DigitalDataWeb.com.
> I assume that if I want to host email for 10 different domains I have
> to have these set
>
> allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
> auth-nxdomain yes;
I haven't used bind for authoritative dns for a while, but I don't
think this makes a difference for domains you're authoritative
for. AIUI it just forces "authoritative answer" to be set on any
NXDOMAIN response, even if you're not authoritative for that
domain.
> I am open to any suggestions anyone has, because this is my first set
> of BSD based name servers
This isn't OS-specific, it's just that Windows DNS server tends
to do a bunch of things that it doesn't show you so you don't
get to see what's happening.
