store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Aug 22, 2019 1:57 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: can't do host/rDNS lookups for local IPs
Unread postPosted: Thu Jun 30, 2016 12:39 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I'm posting this in this section on the off-chance it might be to do with the ASL firewall. I really doubt it though and to be honest I think I'm clutching at straws. So obviously move it if needed.

Anyhooo...

What's happening is that on a particular machine I've set up for testing, with Plesk 12, Centos 7, and ASL, I can't do host/rDNS lookups on IPs within the range allocated to me.

It happily does lookups for IPs further afield, however.

For example:

host x.x.x.x gives me NXDOMAIN, where x.x.x.x is within my range.
(similar NXDOMAIN results for dig @localhost -x x.x.x.x)

As you might expect, dig @8.8.8.8 -x x.x.x.x works fine, as I'm using an external nameserver.

Where things get interesting is this:

host x.x.y.x where y is x+1 takes me well out of the range assigned to me, and gives a good result!
"y" remains within my co-lo provider's IP range though.

I just don't get it. It is like IPs around me are somehow out of reach.

named is running and working on the system just fine. It allows forward lookups with no errors.
Port 53 is open for TCP and UDP.

All the other machines I have on the same range all happily do reverse lookups with no issues at all.

Named.conf has nothing strange in it. It has not been manually altered.
allow-recursion {
localnets;
};


I'm baffled.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: can't do host/rDNS lookups for local IPs
Unread postPosted: Thu Jun 30, 2016 12:52 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
theres nothing in the kernel that would do that, the only things I can think of are:

1) outbound firewall policy thats preventing you from accessing the authoritative DNS server for those PTR records
2) the authoritative DNS servers for those PTR records isnt authoritative

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: can't do host/rDNS lookups for local IPs
Unread postPosted: Thu Jun 30, 2016 12:59 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
OK, we definitely need to move this. It isn't ASL. I don't know what it is though.

In named.conf, I have this, generated by Plesk:

zone "a.b.c.in-addr.arpa" {
type master;
file "a.b.c.in-addr.arpa";
allow-transfer {
common-allow-transfer;
};
};


And that's the problem. If I remove it, or change the "a" to a+1, for example, I can do lookups on my local range without getting an NXDOMAIN.

All my other systems have the same thing, so I don't quite get why they can do lookups and this machine can't.

This is infuriating!

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: can't do host/rDNS lookups for local IPs
Unread postPosted: Fri Jul 01, 2016 6:46 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Well, BEEP.

I'd made an error during testing and in fact none of my machines can resolve PTR records for any IP on the same /24 when using the local named to do the lookup.

It is all down to the .in.arpa record that gets added and can't be removed on a Plesk-based system. (and for all I know needs to be there to make named work at all)

For future reference, the bottom line is this:
If need to have 127.0.0.1 as the first nameserver in your resolve.conf
AND
You have configured postfix or spamdyke or whatever to block based on connecting IPs having no rDNS
THEN
Whitelist your /24 (or manually add PTRs for each IP in your own range).

I'm convinced I'm missing something, or doing something wrong though.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group