Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
8/25/20
1
1 v1.1
1
2 v1.1
Reverse DNS for IPv4 & IPv6WEBINAR COURSE
2
8/25/20
2
3 v1.1
• What is Reverse DNS?• Reverse DNS in IPv4• Reverse Delegation• Reverse DNS in IPv6
Overview
3
4 v1.1
• DNS is a distributed, hierarchical system for translating objectso A critical piece of the Internet infrastructure
DNS Overview
Host Recursive DNS
GTLD
Authoritative DNS
Root
4
8/25/20
3
5 v1.1
• Reverse DNS (rDNS) maps IP addresses to domain names
What is Reverse DNS?
server1.apnic.netIPv4: 192.168.1.100IPv6: 2001:DB8::1
FORWARD DNS:
server1.apnic.net. A 192.168.1.100server1.apnic.net. AAAA 2001:DB8::100
REVERSE DNS:
$ORIGIN 1.168.192.in-addr.arpa.100 PTR server1.apnic.net.
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1.0.0.0 PTR server1.apnic.net.
Person (Host) Address (IPv4/IPv6)
5
6 v1.1
• Reverse lookup• Diagnostics• Service denial
o Allow access when fully reverse delegated• Spam identification
o Failed reverse lookup results in a spam penalty score• Registration responsibilities
o APNIC members must make sure that all their address space are properly reverse delegated
Why use Reverse DNS?
6
8/25/20
4
7 v1.1
DNS Hierarchy Tree
Mapping numbers to names - ‘reverse DNS’net org com
whois
iana
www training
ws1
apnic
ws2
www
arpa
Root .
7
8 v1.1
• Address and Routing Parameter Area• RFC 3172
.arpa Zone
https://www.iana.org/domains/arpa
in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.
arpa
in-addr in-addr-servers ip6 ip6-servers
Root .
8
https://www.iana.org/domains/arpa
8/25/20
5
9 v1.1
Reverse DNS in IPv4
FQDN:
22.64.202.in-addr.arpa.
in-addr
202 203 204 210
64
22
net org com arpa
Root .
Follows the octet boundaries for each node.
9
10 v1.1
Create generic rDNS entries for the entire zone/block.
Reverse DNS in IPv4
REVERSE DNS for 192.168.1.0/24
1.1.168.192.in-addr.arpa. PTR node1.zone1.example.net.2.1.168.192.in-addr.arpa. PTR node2.zone1.example.net. 3.1.168.192.in-addr.arpa. PTR node3.zone1.example.net. 4.1.168.192.in-addr.arpa. PTR node4.zone1.example.net. 5.1.168.192.in-addr.arpa. PTR node5.zone1.example.net. 6.1.168.192.in-addr.arpa. PTR node6.zone1.example.net. 7.1.168.192.in-addr.arpa. PTR node7.zone1.example.net. 8.1.168.192.in-addr.arpa. PTR node8.zone1.example.net. 9.1.168.192.in-addr.arpa. PTR node9.zone1.example.net. 10.1.168.192.in-addr.arpa. PTR node10.zone1.example.net. ……254.1.168.192.in-addr.arpa. PTR node254.zone1.example.net.255.1.168.192.in-addr.arpa. PTR node255.zone1.example.net.
10
8/25/20
6
11 v1.1
$ORIGIN or @ denotes the suffix that will be appended to the record.
Reverse DNS in IPv4
REVERSE DNS for 192.168.1.0/24
$ORIGIN 1.168.192.in-addr.arpa.
1 PTR node1.zone1.example.net.2 PTR node2.zone1.example.net. 3 PTR node3.zone1.example.net. 4 PTR node4.zone1.example.net. 5 PTR node5.zone1.example.net. 6 PTR node6.zone1.example.net. 7 PTR node7.zone1.example.net. 8 PTR node8.zone1.example.net. 9 PTR node9.zone1.example.net. 10 PTR node10.zone1.example.net. ……254 PTR node254.zone1.example.net.255 PTR node255.zone1.example.net.
11
12 v1.1
• Follows the Internet addressing structure
• Reverse delegation is based on octet boundarieso /8, /16, and /24 delegations o > /24 but less than /16 – register each /24 zoneo < /24 delegations- Use “classless in-addr.arpa delegation” (RFC2317)
Reverse Delegation in IPv4
2317
12
8/25/20
7
13 v1.1
• For address prefixes larger than /24 but smaller than /16, create multiple zones – one for each /24.
Reverse Delegation in IPv4 - Larger than /24
REVERSE ZONE for 192.168.0.0/24
$ORIGIN 0.168.192.in-addr.arpa.1 PTR node1.zone1.example.net.2 PTR node2.zone1.example.net. 3 PTR node3.zone1.example.net. 4 PTR node4.zone1.example.net.5 PTR node5.zone1.example.net.
REVERSE ZONE for 192.168.1.0/24
$ORIGIN 1.168.192.in-addr.arpa.1 PTR node1.zone2.example.net.2 PTR node2.zone2.example.net. 3 PTR node3.zone2.example.net. 4 PTR node4.zone2.example.net. 5 PTR node5.zone2.example.net.
13
14 v1.1
• Delegate /25
Reverse Delegation in IPv4 – Classless REVERSE ZONE for 192.168.2.0/24
$ORIGIN 2.168.192.in-addr.arpa.
; /250/25 NS ns1.customer1.net.0/25 NS ns2.customer1.net.
1 CNAME 1.0/25.2.168.192.in-addr.arpa.2 CNAME 2.0/25.2.168.192.in-addr.arpa.3 CNAME 3.0/25.2.168.192.in-addr.arpa.…
; /25128/25 NS ns1.customer2.net.128/25 NS ns2.customer2.net.
129 CNAME 1.128/25.2.168.192.in-addr.arpa.130 CNAME 2.128/25.2.168.192.in-addr.arpa.131CNAME 3.128/25.2.168.192.in-addr.arpa....
14
8/25/20
8
15 v1.1
• Delegate /25
Reverse Delegation in IPv4 – Classless REVERSE ZONE FOR 192.168.2.0/25
$ORIGIN 0/25.2.168.192.in-addr.arpa.
1 PTR host1.customer1.net.2 PTR host2.customer1.net. 3 PTR host3.customer1.net. 4 PTR host4.customer1.net.5 PTR host5.customer1.net.
REVERSE ZONE FOR 192.168.2.128/25
$ORIGIN 128/25.2.168.192.in-addr.arpa.
129 PTR host1.customer2.net.130 PTR host2.customer2.net. 131 PTR host3.customer2.net. 132 PTR host4.customer2.net.133 PTR host5.customer2.net.
15
16 v1.1
• APNIC o manages the address blocks delegated in the regiono processes requests for reverse delegation of delegated blocks
• LIR and memberso Be familiar with APNIC procedureso Ensure that addresses are reverse-mappedo Maintain nameservers for allocationso Minimize pollution of DNS
Reverse Delegation - Responsibilities
16
8/25/20
9
17 v1.1
• Access MyAPNIC.• Create a whois object for the
reverse zone • Verify the nameserver and
domain set up• Provide FQDN of two
nameservers• Provide the maintainer
password to complete the change.
Reverse Delegation Procedures
Resources > Whois updates > Add > Object Type: domain
17
18 v1.1
Whois Domain Object
domain: 28.12.202.in-addr.arpaDescr: in-addr.arpa zone for 28.12.202.in-addr.arpaadmin-c: NO4-APtech-c: AIC1-APzone-c: NO4-APnserver: cumin.apnic.netnserver: tinnie.apnic.netnserver: tinnie.arin.netmnt-by: MAINT-APNIC-APmnt-lower: MAINT-AP-DNSchanged: [email protected] 20021023changed: [email protected] 20040109changed: [email protected] 20091007changed: [email protected] 20111208source: APNIC
Reverse Zone
Contacts
Nameservers
Maintainers
18
8/25/20
10
19 v1.1
Reverse DNS in IPv6
net org com arpa
Root .
ip6
Ipv6 addresses
IPv6 Prefix: 2001:DB8::/64FQDN: 0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.
Follow the nibble boundaries for each node.
3152
19
20 v1.1
What is the FQDN of 2001:dd8:8:701::10?
Reverse DNS in IPv6
dig -x 2001:dd8:8:701::10
; DiG 9.14.10 -x 2001:dd8:8:701::10;; global options: +cmd;; Got answer:;; ->>HEADER
8/25/20
11
21 v1.1
• Reverse nibble format for the zone.• Use $ORIGIN to keep the actual lines with the PTR value simple.
Reverse DNS in IPv6
REVERSE ZONE for 2001:DB8::/64
; 2001:DB8::/124$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.
1 PTR r1.core0.example.net.2 PTR r2.core0.example.net.3 PTR r3.core0.example.net.4 PTR r4.core0.example.net.5 PTR r5.core0.example.net.
; 2001:DB8::0010/124$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1 PTR sw1.core0.example.net.2 PTR sw2.core0.example.net.3 PTR sw3.core0.example.net.4 PTR sw4.core0.example.net.5 PTR sw5.core0.example.net.
21
22 v1.1
• Most commonly using /48 or /64 per zone
Reverse DNS in IPv6
REVERSE ZONE for 2001:DB8:1:/48
; 2001:DB8:1:0::/64$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.
1 PTR host1.zone1.example.net.2 PTR host2.zone1.example.net.3 PTR host3.zone1.example.net.4 PTR host4.zone1.example.net.5 PTR host5.zone1.example.net.
; 2001:DB8:1:1::/64$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1 PTR host1.zone2.example.net.2 PTR host2.zone2.example.net.3 PTR host3.zone2.example.net.4 PTR host4.zone2.example.net.5 PTR host5.zone2.example.net.
2001:DB8:0001:0000::/64
2001:DB8:0001:0001::/64
22
8/25/20
12
23 v1.1
• Follows the Internet addressing structure
• Delegate using nibble or 4-bit boundarieso /32 and /48 reverse zones o If allocated a /32, register a /32 reverse zone.
Reverse Delegation in IPv6
23
24 v1.1
Star Networks (an ISP) has been allocated 2406:6400::/32 IPv6 address block.
Reverse DNS in IPv6 - Example
REVERSE ZONE for 2406:6400::/32
$ORIGIN 0.0.4.6.6.0.4.2.ip6.arpa.
; INFRASTRUCTURE 2406:6400::/48 0.0.0.0 NS ns1.star.net.0.0.0.0 NS ns2.star.net.
; Customer P2P links 2406:6400:1:/48 1.0.0.0 NS ns1.star.net.1.0.0.0 NS ns2.star.net.
; Customer 1 2406:6400:2::/48 2.0.0.0 NS ns1.customer1.net.2.0.0.0 NS ns2.customer1.net.
; Customer 2 2406:6400:3::/48 3.0.0.0 NS ns1.customer2.net.3.0.0.0 NS ns2.customer2.net.
; Customer 3 2406:6400:4::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.
; Customer 4 2406:6400:5::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.
; Customer 5 2406:640062::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.
Delegate customer blocks
24
8/25/20
13
25 v1.1
• Infrastructure Reverse Zone
Reverse DNS in IPv6 – Example
REVERSE ZONE for 2406:6400::/48
; Loopback addresses$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR r1-lo0.pop1.star.net.2 PTR r2-1o0.pop1.star.net.3 PTR r3-1o0.pop1.star.net.4 PTR r4-1o0.pop1.star.net.
; P2P links$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.
25
26 v1.1
• Also Read RFC8501
Reverse DNS in IPv6
8501
26
8/25/20
14
27 v1.1
Thank You!END OF SESSIONThank You!
END OF SESSION
27
28 v1.1
• Any questions?
Please remember to fill out the feedback form
Slide handouts will be available after completing the survey
28
8/25/20
15
29 v1.1
• APNIC Helpdesk Chat
29