INFRA-41: Reverse DNS

Metadata

Source
INFRA-41
Type
Task
Priority
Major
Status
Closed
Resolution
Fixed
Assignee
Giovanni Tirloni
Reporter
Giovanni Tirloni
Created
2015-08-31T10:53:44.860-0400
Updated
2015-11-03T09:33:11.498-0500
Versions
N/A
Fixed Versions
N/A
Component
N/A

Description

Besides being a good practice to have reserve DNS configured, we also need it to avoid mail errors like this:

to=<keineantwortadresse@web.de>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=256735, delays=256734/0.02/1.1/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb005) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=205.211.169.31)

Comments

  • Giovanni Tirloni commented 2015-08-31T10:54:42.102-0400

    Provided Yong with our DNS servers on 6/11/2015. Requested an update on 8/28/2015.

  • Giovanni Tirloni commented 2015-09-04T10:12:56.340-0400

    No answer from Yong.

  • Giovanni Tirloni commented 2015-10-21T10:45:51.135-0400

    Latest iteration of this request.

    -------- Forwarded Message --------
Subject: Re: Reverse DNS for 205.211.169.0/24
Date: Wed, 21 Oct 2015 12:41:15 -0200
From: Giovanni Tirloni <gtirloni@ocadu.ca>
To: Zhang, Yong <yzhang@ocadu.ca>, Harnum, Alan <aharnum@ocadu.ca>
CC: Clark, Colin <cclark@ocadu.ca>, Gill, Avtar <agill@ocadu.ca>

Hi Yong,

I can't seem to resolve any IPs from the 205.211.169.0/24 network, but
if I query the IDRC's DNS servers directly, they respond with the
correct answer:

$ dig +short @ns-794.awsdns-35.net. 10.169.211.205.in-addr.arpa. ptr
tor1-prd-fw01.inclusivedesign.ca.

I believe Cogent will have to do the delegation at the ARIN level,
instead of just adding NS records to their DNS servers. What they have
done is considered a "horizontal referral" (referral at the same level)
and doesn't seem to work because the DNS resolver considers it a "bad
referral" and stops looking.

Here is the document from ARIN mentioning that delegations can only
happen at /8, /16 and /24 boundaries. Cogent probably owns/manages
separate delegation for 205.211.168.0/24 and 205.211.169.0/24 that they
could change independently:

https://www.arin.net/resources/request/reversedns.html

I've attached a log file with a DNS trace showing the bad referral. The
dig utility is used for troubleshooting and continues the lookup even in
the face of the error (that's why it's able to show the correct answer)
but Windows/OSX/Linux DNS resolvers don't do that.

Thanks for helping us with this.

Thank you,
Giovanni

On 10/20/2015 02:44 PM, Zhang, Yong wrote:
> Hi Alan and Giovanni,
> 
> The change has been made for 205.211.169.0/24 reverse zone.  Keep in mind some IPs in 205.211.169.0/24 are in managed by IDRC.
> 
> Thanks,
> Yong
> 
> -----Original Message-----
> From: Harnum, Alan 
> Sent: Monday, September 21, 2015 12:53 PM
> To: Zhang, Yong
> Cc: Clark, Colin; Gill, Avtar; Giovanni Tirloni
> Subject: FW: Reverse DNS for 205.211.169.0/24
> 
> Hi Yong,
> 
> Could you help facilitate the request below from Giovanni to help us get reverse DNS configured for our SMTP servers?
> 
> I believe (Giovanni, please correct if this is wrong) this is related to emails to our mailing list recipients being rejected.
> 
> Thanks,
> 
> ALAN HARNUM
> SENIOR INCLUSIVE DEVELOPER
> INCLUSIVE DESIGN RESEARCH CENTRE, OCAD UNIVERSITY

  • Alan Harnum commented 2015-11-03T09:05:29.454-0500

    @@Giovanni Tirloni, is this issue satisfactorily resolved now? Can we close this one?

  • Giovanni Tirloni commented 2015-11-03T09:16:11.255-0500

    Yes, issue is resolved. Thanks for helping wit this.

  • Giovanni Tirloni commented 2015-11-03T09:16:55.420-0500

    Reverse DNS for IPs 11,12,29,30,31 created individually.

    If we ever need DNS delegation in the future, Cogent will have to delegate the 205.211.169.0/24 network at the ARIN level to us.

    $ for i in 11 12 29 30 31; do host 205.211.169.$i | sed 's/domain name
    pointer/=>/g'; done

    11.169.211.205.in-addr.arpa => tor1-prd-ns01.inclusivedesign.ca.
    12.169.211.205.in-addr.arpa => tor1-prd-ns02.inclusivedesign.ca.
    29.169.211.205.in-addr.arpa => tor1-prd-mx01.inclusivedesign.ca.
    30.169.211.205.in-addr.arpa => tor1-prd-mx02.inclusivedesign.ca.
    31.169.211.205.in-addr.arpa => tor1-prd-mx03.inclusivedesign.ca.