[GTALUG] Reverse DNS different that DNS server (reverse is a local address)

Joseph Rocklin rocklin at tuta.io
Mon Nov 23 12:08:28 EST 2020 

Thanks for the feedback. I have a lot more learning ahead. I will try to concisely post questions, only when needed, in future. I appreciate your collective help.

Sincerely,
Joseph

23 Nov 2020, 10:14 am by talk at gtalug.org:

> On Mon, 23 Nov 2020 09:20:57 -0500 (EST)
> "D. Hugh Redelmeier via talk" <talk at gtalug.org> wrote:
>
>> I have no time for a careful answer.  But it is important that you 
>> understand these points:
>>
> I can also spend a few minutes to add to the points below, if
> that helps anyone...
>
>> - DNS is a distributed tree, with nodes that are authoritative for 
>>  particular domains.
>>
> Yes, and not at all - names = not so much, possibly, a little like a
> one or two branch tree - Numbers = always four or six "branches"
>
> DNS is mostly a fixed single easy thing. (although you do get weird
> 'trees' like  de.li.cio.us (or whatever that was)
>
> For names it could resemble a tree with one sometimes two or thee
> branches, hardly ever more than that... (in theory it could have
> millions of branches - but IRL (in real life) two or three...
>
> An example - would be example.com
> .com says which NS server(s) is/are authorative for example
>
> That NS server(s) may further say where is www.example.com
>
> but not often do you find www.www.www.www.example.com
> (although you could, in theory, have a "tree", I guess...)
>
> for numbers though, the delegation is only 4 "branches" deep for ipv4
> and 6 "branches" deep for ipv6 - unless you count the main .in-addr.arpa
> as another two?
>
> So, DNS may be a bit like a very small bonsai? hehehehe
>  
>
>> - there is caching (recursive servers) if you trust them (almost
>> always one does).  Unless you are using DNSSec, the caching server
>> can lie, sometimes usefully.
>>
>> - the forward domain is technically unrelated to the reverse domain.
>>
> yes, reverse and forward lookup is not related, but when they match, as
> in for use as an email server, this is another layer in the onion of
> trust.
>
> and, technically - it is ALL forward lookups (even a reverse lookup :) 
> the 'reverse' is actually you/inquirer 'reversing' the number and
> adding .in-addr.arpa )
>
>> The forward domain lookup uses a conventional domain name as the
>>  key.
>>
>
> You can have 192.168.1.100.com - so the only 'convention' is that
> forward and reverse both has 'sub domains'
>
> it is all really 'forward' lookups :)
>
> forward works from the back
> 123 -> com for 123.com
>
> reverse works by "reversing the number" and adding .in-addr.arpa
>
> 192.168.1.1 -> 192 for 168
> so: 1.2.168.192.in-addr.arpa
>
> for example: dig NS 136.100.in-addr.arpa tells you how 136.100 is
> delegated, etc etc.
>
>> The reverse lookup uses the IP address (in a funny format) as the
>>  key.
>>
> not so funny, just the normal ip number format
>
> but the reverse is from the start of the number and not the end
>
>> - Reverse example: to lookup the reverse for IPv4 address 1.2.3.4,
>>  your system actually queries 4.3.2.1.in-addr.arpa.  I think you can
>>  see how that is constructed.
>>
> yes, this is all it is :) 
>
>> - the reverse domain is a mystery to most people (because it mostly 
>>  doesn't matter to most users).  If you run a mail server, it does 
>>  matter.
>> - whoever provided you with your IP address controls the reverse
>>  domain for that IP address.  Generally, if you pay for a static IP
>>  address, they will let you specify what you want them to put in the
>>  reverse domain for that IP address.  Most ordinary consumers don't
>>  have static addresses and are not given a say in what the reverse
>>  says.
>>
> if whomever provided you with the number did not hijack it from
> somewhere and it is in fact properly delegated, then they could, in
> their own auth NS, add whatever 'name' you like to the IP number :)
>
>> - if your provider provides you with a CIDR of network addresses,
>>  static, they may delegate the reverse domain for that CIDR to a DNS
>>  of your choosing.  This is not the normal home case.
>>
>
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20201123/3c36ec54/attachment.html>

More information about the talk mailing list