Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Check RDNS Authority

2 views
Skip to first unread message

J de Boyne Pollard

unread,
Dec 25, 2009, 9:21:07 PM12/25/09
to
NK> How can I check who is authorative for a reverse DNS IP address?

Follow the same algorithm that a resolving proxy DNS server does.
Chase down the chain of delegations for the relevant reverse lookup
domain name, starting from the root content DNS servers. For best
results, follow all possible (in bailiwick) delegation paths.

NK> AT&T supposedly delegated the reverse
NK> DNS to my DNS server (according to them when I call them).

So check this. Send a DNS query to the relevant content DNS servers
and determine whether such a delegation is indeed in place.

Barry Margolin

unread,
Dec 26, 2009, 1:04:54 AM12/26/09
to
In article
<a15d6df0-d13d-41d3...@c3g2000yqd.googlegroups.com>,

The easiest way to do this is with the +trace option to dig:

dig +trace -x <your-IP>

However, this doesn't follow RFC 2387-style delegation, because it
doesn't follow CNAMEs, so you'll have to deal with that yourself if
that's involved in your delegation.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

J de Boyne Pollard

unread,
Dec 26, 2009, 9:39:09 AM12/26/09
to
BM> The easiest way to do this is with the +trace option to dig:
BM> dig +trace -x <your-IP>
BM> However, this doesn't follow RFC 2317-style delegation, [...]

The way to do this that I personally find to be the easiest is to
instrument a resolving proxy DNS server to log all of its queries and
responses, and just ask it the relevant question then read the
resultant log entries. (I posted an excerpt from one such log not
long ago, as a matter of fact.) Of course, this doesn't follow all
possible paths, but it will use the correct algorithm (which tools
widely advertised for this purpose, such as "dnstracer", do not).
Bernstein's "dnstrace" uses the correct algorithm *and* follows all
possible paths. But I have found in practice that just looking at the
logs of a resolving proxy DNS server and issuing a few queries
manually is almost always enough for most purposes.

Some resolving proxy DNS servers largely do this right out of the
box. I've recently discovered, from an obscure corner of the MSDN,
that it's possible to configure Microsoft's DNS server to do this,
too. (M. Fekay, if you're reading this: It's the OperationsLogLevel
property, documented in the same place as the LameDelegationTtl
property we were discussing before.) I've not tried it with
Microsoft's DNS server myself. I tend to just use one of the
softwares that do it out of the box when I need this capability. (-:

Ace Fekay [MCT]

unread,
Dec 26, 2009, 12:26:32 PM12/26/09
to
"J de Boyne Pollard" <J.deBoyn...@Tesco.NET> wrote in message
news:88adf7cd-4441-4b0d...@m26g2000yqb.googlegroups.com...


Yes, thanks for pointing that out. The relavent links are:

MSDN 3.1.1.1.1 DNS Server Integer Properties
http://msdn.microsoft.com/en-us/library/cc422472(PROT.10).aspx

MSDN: 7 Appendix B: Product Behavior
http://msdn.microsoft.com/en-us/library/cc422509(PROT.10).aspx

Ace


0 new messages