0

Our DNS infrastructure is a bit fractured. We have multiple separate DNS servers for different parts of the company. However, we do still have some interchange issues. Right now a server from Somewhere Else needs to poll my stuff for some things and one of the things being polled is picky about reverse-DNS lookups. This leads to reverse-DNS zones and how they're resolved.

45.123.10.in-addr.arpa is not resolvable from my DNS servers, but is from other parts of the network that use different ones. This is because those other servers are authoritative for that zone. Due to policies they won't let me host a secondary zone of that one on my DNS servers so I'm stuck with finding another option for getting that reverse zone resolvable.

The options I'm considering:

  1. Host it myself, and put the reverse lookups I need into that zone and forget about the rest on that /24.
  2. Somehow indicate to my DNS servers where to find the authoritative zone.

I'd rather go with option 2 somehow, I'm just not sure how to go about it. Would a glue-style stub-zone work (SOA, NS records pointing to the other servers, but no PTR or A records)? Would creating the parent domain (123.10.in-addr.arpa) and somehow delegating 45. to those other DNS servers? I'm not sure.

Blue Warrior NFB
  • 611
  • 6
  • 17
  • The zone in question is for an RFC1918 address, `10.123.45.x`. You aren't going to be able to get that to reverse-resolve reliably anywhere on the internet at all. – MadHatter Jul 02 '14 at 14:21
  • @MadHatter Yes, this is entirely internal. No problems. – Blue Warrior NFB Jul 02 '14 at 14:24
  • No: *problem*. There's **no way** to get RFC1918 addresses to resolve reliably for a distributed group of people unless you all agree to use the same DNS servers, or you have in some other way total control over the DNS infrastructure in question. Your question makes it pretty clear that you don't. – MadHatter Jul 02 '14 at 14:25
  • @MadHatter This is the problem with semi-autonomous units :P – Blue Warrior NFB Jul 02 '14 at 14:37
  • To my mind, it's more a problem with people assuming that you can have any meaningful reverse-resolution rules for RFC1918 addresses. But I'd go with Joe's suggestion below; you can see an example of getting BIND to forward a specified zone to specified servers in [my answer to an earlier question](http://serverfault.com/questions/534170/dealing-with-multiple-private-dns-servers/534172#534172). – MadHatter Jul 02 '14 at 14:52

1 Answers1

3

For option 2 you can set up a Conditional Forwarder for the Reverse Lookup Zone.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171