1

Here's how I'm currently setting up my zones in bind:

[user@host ~]$ cat /etc/bind/named.conf.local
zone "test.com" {
   type master;
   file "/etc/bind/zones/test.com.db";
   };

zone "0.168.192-in-addr.arpa" {
   type master;
   file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
   };

[user@host ~]$ cat /etc/bind/zones/test.com.db
test.com.   IN SOA   ns1.test.com.  admin.example.com. (
   2006081401
   28800
   3600
   604800
   38400
)

test.com.   IN NS ns1.test.com.
www         IN A  192.168.0.2

[user@host ~]$ cat /etc/bind/zones/rev.0.168.192.in-addr.arpa
@  IN SOA   ns1.test.com. admin.example.com. (
   2006081401;
   28800;
   604800;
   604800;
   86400
)

   IN NS    ns1.test.com.
1  IN PTR   test.com

I'm wondering though, do I need to create the reverse zone?

I SSH'd into my old VPS, that used WebHost Manager to configure Bind, and saw that no reverse zones were created. Are they required? Can I omit them?

4 Answers4

2

A reverse zone is much like any another zone except that it happens to be cut from the in-addr.arpa space. If there's a delegation to your name servers, then yes you likely do want to serve those entries or you'll have issues with things like mail blacklists and so forth.

It's fairly likely that your host is managing the reverse entries for the IP addresses you're allocated in which case they'll likely have created generic entries for you so that you won't need to host the entries yourself. You can check what the existing entries are (if any) by running:

dig -x 192.0.32.10

Substituting 192.0.32.10 for whatever is appropriate. It's good practice to have the reverse entry for an IP address match the primary forward entry for that IP. ie: the A record www.example.com points to 192.0.32.10 and the PTR record 10.32.0.192.in-addr.arpa. points to www.example.com.

andrewtj
  • 636
  • 4
  • 5
1

You can safely omit them in almost all cases. However, many programs will attempt to query reverse DNS and will work better (usually as less error/warning messages) with it fully implemented.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Could you elaborate on `many programs will attempt to query reverse DNS and will work better (usually as less error/warning messages) with it fully implemented`? I was fully prepared to omit the reverse zones until I got to that sentence xD –  Jul 27 '10 at 01:05
  • 1
    @Ted For example, checking for a reverse DNS on an email origin is one of the first anti-spam checks that's done. Not an issue if you're not running a mail server. – Mark Henderson Jul 27 '10 at 01:22
  • 1
    SSH throws "Possible Break-In Attempt" messages when there's no r-dns, e-mail as Farseeker said, X11 connections, some FTP servers; most stuff that handles security in the connection. It's fairly rare for r-dns to be required, and lots of people get by without them (mail is a bit of a special case, as many spam filters toss e-mail without a matching r-dns entry). – Chris S Jul 27 '10 at 04:07
1

Do I need to create reverse zone files for my domains?

Do you own or are you responsible for your IP address space? Do you have a least a /24 network of public addresses?

If you have public address space then you should probably setup a reverse zone. If you only have a few address from your ISP then you can ask your ISP to do a rfc2317 delegation to you and then do your own reverse DNS. If your ISP doesn't want to do that, then you are probably stuck with making requests to them to update your reverse DNS records. Which may be easier to deal with anyway if you only have a few addresses.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
0

Your example above shows reverse DNS for the 192.168.0.0 subnet. This is not a public IP address range, i.e. this must be for your local network. Unless you are doing some really bizarre stuff on your private network, you won't need this. OTOH, it's possibly good training, in case you ever need to set up reverse DNS for your public IP range (if you have such a thing). If your Internet connection is a simple, 1-address-only, ADSL connection, then you won't even have a choice, and in case you DO need reverse DNS on that (e.g. for a mail server), you will have to ask your ISP to do that for you.

wolfgangsz
  • 8,767
  • 3
  • 29
  • 34