[GTALUG] Reverse DNS different that DNS server (reverse is a local address)

Mon Nov 23 10:14:14 EST 2020

On Mon, 23 Nov 2020 09:20:57 -0500 (EST)
"D. Hugh Redelmeier via talk" <talk at gtalug.org> wrote:

> I have no time for a careful answer.  But it is important that you 
> understand these points:
> 
I can also spend a few minutes to add to the points below, if
that helps anyone...

> - DNS is a distributed tree, with nodes that are authoritative for 
>   particular domains.
>
Yes, and not at all - names = not so much, possibly, a little like a
one or two branch tree - Numbers = always four or six "branches"

DNS is mostly a fixed single easy thing. (although you do get weird
'trees' like  de.li.cio.us (or whatever that was)

For names it could resemble a tree with one sometimes two or thee
branches, hardly ever more than that... (in theory it could have
millions of branches - but IRL (in real life) two or three...

An example - would be example.com
.com says which NS server(s) is/are authorative for example

That NS server(s) may further say where is www.example.com

but not often do you find www.www.www.www.example.com
(although you could, in theory, have a "tree", I guess...)

for numbers though, the delegation is only 4 "branches" deep for ipv4
and 6 "branches" deep for ipv6 - unless you count the main .in-addr.arpa
as another two?

So, DNS may be a bit like a very small bonsai? hehehehe

> - there is caching (recursive servers) if you trust them (almost
> always one does).  Unless you are using DNSSec, the caching server
> can lie, sometimes usefully.
>
> - the forward domain is technically unrelated to the reverse domain.
>
yes, reverse and forward lookup is not related, but when they match, as
in for use as an email server, this is another layer in the onion of
trust.

and, technically - it is ALL forward lookups (even a reverse lookup :) 
the 'reverse' is actually you/inquirer 'reversing' the number and
adding .in-addr.arpa )

>   The forward domain lookup uses a conventional domain name as the
>   key.

You can have 192.168.1.100.com - so the only 'convention' is that
forward and reverse both has 'sub domains'

it is all really 'forward' lookups :)

forward works from the back
123 -> com for 123.com

reverse works by "reversing the number" and adding .in-addr.arpa

192.168.1.1 -> 192 for 168
so: 1.2.168.192.in-addr.arpa

for example: dig NS 136.100.in-addr.arpa tells you how 136.100 is
delegated, etc etc.

>   The reverse lookup uses the IP address (in a funny format) as the
>   key.
> 
not so funny, just the normal ip number format

but the reverse is from the start of the number and not the end

> - Reverse example: to lookup the reverse for IPv4 address 1.2.3.4,
>   your system actually queries 4.3.2.1.in-addr.arpa.  I think you can
>   see how that is constructed.
> 
yes, this is all it is :) 

> - the reverse domain is a mystery to most people (because it mostly 
>   doesn't matter to most users).  If you run a mail server, it does 
>   matter.
> - whoever provided you with your IP address controls the reverse
>   domain for that IP address.  Generally, if you pay for a static IP
>   address, they will let you specify what you want them to put in the
>   reverse domain for that IP address.  Most ordinary consumers don't
>   have static addresses and are not given a say in what the reverse
>   says.
> 
if whomever provided you with the number did not hijack it from
somewhere and it is in fact properly delegated, then they could, in
their own auth NS, add whatever 'name' you like to the IP number :)

> - if your provider provides you with a CIDR of network addresses,
>   static, they may delegate the reverse domain for that CIDR to a DNS
>   of your choosing.  This is not the normal home case.