http://blog.cj2s.de/ on malware, botnets and security by Christian J. Dietrich en Serendipity 1.6.2 - http://www.s9y.org/ Wed, 10 Oct 2012 20:35:59 GMT http://blog.cj2s.de/templates/bulletproof/img/s9y_banner_small.png http://blog.cj2s.de/ 100 21 http://blog.cj2s.de/archives/24-Delegating-IN-ADDR.ARPA-domains-for-reverse-DNS-resolution-PTR-IP-to-hostname.html Linux Hints http://blog.cj2s.de/archives/24-Delegating-IN-ADDR.ARPA-domains-for-reverse-DNS-resolution-PTR-IP-to-hostname.html#comments http://blog.cj2s.de/wfwcomment.php?cid=24 0 http://blog.cj2s.de/rss.php?version=2.0&type=comments&cid=24 nospam@example.com (Christian J. Dietrich) Part of a clean DNS configuration is to maintain a mapping from IP addresses to hostnames. Especially in email exchange, many mail servers require that the sender's IP address can be looked up in DNS and e.g. maps to a hostname. You can easily test this using the tool dig which is usually part of bind-utils:<br /> <pre><br /> $ dig -x 80.67.18.126<br /> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19989<br /> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0<br /> <br /> ;; QUESTION SECTION:<br /> ;126.18.67.80.in-addr.arpa. IN PTR<br /> <br /> ;; ANSWER SECTION:<br /> 126.18.67.80.in-addr.arpa. 86400 IN PTR mxlb.ispgateway.de.<br /> </pre><br /> The listing shows the lookup for a PTR record of (one of) the mail server's IP address(es) of my domain. dig provides the -x flag which behind the scenes makes a query for 126.18.67.80.in-addr.arpa. of resource record type PTR. Equivalently, you can issue 'dig 126.18.67.80.in-addr.arpa. PTR'. As we can see from the output above, the IP address <strong>80.67.18.126</strong> maps to the hostname <strong>mxlb.ispgateway.de.</strong> (which in turn maps to 80.67.18.126 when querying for an A RR type).<br /> <br /> In order to be able to provide reverse mappings for a set of IP addresses that have been assigned, there should be a delegation (or referral) from the authoritative entity which assigned the IP addresses. Usually you will want to have CIDR ranges of IPv4 addresses delegated. Thus, let's assume the upstream ISP takes care of the whole /24 network <strong>1.2.3.0/24</strong> (i.e. 1.2.3.0-1.2.3.255) and the subnet IP address range <strong>1.2.3.32/27</strong> (i.e. 1.2.3.32-1.2.3.63) should be delegated from the authoritative (upstream ISP) nameserver A to (your) nameserver B. The following configuration snippets provide an example configuration for BIND and illustrate the required steps.<br /> <br /> Thus, A needs to be configured to delegate the DNS entries concerning the IP addresses 1.2.3.32/27 to the nameserver B as follows:<br /> <pre><br /> ; depending on your style of zone files, you might not have an $ORIGIN in them at all<br /> $ORIGIN 3.2.1.IN-ADDR.ARPA.<br /> @ IN SOA ns1.A.com. dnsadmin.A.com. (<br /> 2011052501; serial number<br /> 1h ; refresh after<br /> 1h ; retry update after<br /> 2w ; expire after<br /> 1h ; negative caching TTL)<br /> IN NS ns1.A.com.<br /> IN NS ns2.A.com.<br /> <br /> ; here go PTR records for the IP address range 1.2.3.0-.31 which is not delegated to B<br /> 1 IN PTR some.absolute.hostname.example.com.<br /> ...<br /> 31 IN PTR note.that.relative.names.dont.make.sense.here.<br /> <br /> ; here goes the referral for the subnet 1.2.3.32/27 to B's name server(s)<br /> 32/27 IN NS ns1.B.com.<br /> 32/27 IN NS ns2.B.com. ; in case B has a second NS<br /> <br /> ; Now comes an important part. the above statement does not suffice to refer queries to B's name server.<br /> ; In addition, we also have to define CNAMEs for ALL IP addresses in the subnet and map them to<br /> ; the referred domain 32/27.<br /> 32 IN CNAME 32.32/27.3.2.1.IN-ADDR.ARPA.<br /> ; or alternatively<br /> 32 IN CNAME 32.32/27<br /> ....<br /> 63 IN CNAME 63.32/27 ; keep going from 32 to 63...<br /> ; ...or alternatively use the $GENERATE macro of BIND 8.2+<br /> $GENERATE 32-63 $ CNAME $.32/27<br /> </pre><br /> Note that we could have chosen ANY arbitrary name instead of 32/27 for the CNAME targets as well as the referral (one could even refer outside the in-addr.arpa tree). However, <a onclick="_gaq.push(['_trackPageview', '/extlink/tools.ietf.org/html/rfc2317']);" href="http://tools.ietf.org/html/rfc2317" target="_blank">RFC 2317</a> recommends the above scheme (for good reason).<br /> <br /> On the "target" nameserver B, the zone looks similar to:<br /> <pre><br /> $ORIGIN 32/27.3.2.1.IN-ADDR.ARPA.<br /> @ IN SOA ns1.B.com. dnsadmin.B.com. ( ... )<br /> IN NS ns1.B.com.<br /> IN NS ns2.B.com.<br /> <br /> ; provide the PTR mapping for the IP addresses 1.2.3.32-.63 (maybe omit first and <br /> ; last as they are network and broadcast addresses).<br /> 32 IN PTR some-net.b.example.com.<br /> 33 IN PTR host33.b.example.com.<br /> ....<br /> 62 IN PTR web.example.com.<br /> 63 IN PTR host63.example.com.<br /> <br /> ; alternatively use the $GENERATE macro of BIND 8.2+<br /> $GENERATE 32-63 $ PTR host$.b.example.com.<br /> </pre><br /> The configuration of the zone on the nameserver B is something like:<br /> <pre><br /> ...<br /> zone "32/27.3.2.1.in-addr.arpa" in {<br /> type master;<br /> file "data/1.2.3.32_27.reverse.zone";<br /> };<br /> ...<br /> </pre><br /> <br /> <strong>Testing the configuration</strong><br /> Here are some commands using dig in order to test the configuration:<br /> <pre><br /> ; query one of the PTRs at B's nameserver<br /> dig +norecurse @[nameserver-of-B] 33.32/27.3.2.1.in-addr.arpa PTR<br /> <br /> ; query A's nameserver for the exact referral<br /> dig +norecurse @[nameserver-of-A] 32/27.3.2.1.in-addr.arpa ANY<br /> <br /> ; query A's nameserver for one of the PTRs<br /> dig +norecurse @[nameserver-of-A] 33.32/27.3.2.1.in-addr.arpa PTR<br /> dig +norecurse @[nameserver-of-A] 33.3.2.1.in-addr.arpa PTR<br /> <br /> ; query one of the PTRs starting at the root<br /> dig -x 1.2.3.33<br /> dig +trace -x 1.2.3.33<br /> </pre> Wed, 01 Jun 2011 19:03:00 +0200 http://blog.cj2s.de/archives/24-guid.html http://blog.cj2s.de/archives/19-Compiling-Gnuplot-4.4.2-on-CentOS-5.5.html Linux Hints http://blog.cj2s.de/archives/19-Compiling-Gnuplot-4.4.2-on-CentOS-5.5.html#comments http://blog.cj2s.de/wfwcomment.php?cid=19 0 http://blog.cj2s.de/rss.php?version=2.0&type=comments&cid=19 nospam@example.com (Christian J. Dietrich) CentOS is a really fine platform for professional Linux servers which is - among others - characterized by stable software releases. However, especially in a research environment every once in a while you need a recent version of a software. CentOS ships with Gnuplot 4.0.0 but I need Gnuplot >=4.4. In case others need this, too, here are my compile instructions:<br /> <pre><br /> # make sure your system is uptodate<br /> yum clean all<br /> yum check-update<br /> yum update<br /> <br /> # based on a minimal installation, you need some packages in order to compile, I suggest<br /> yum install gcc gcc-c++ make libX11 xauth<br /> yum install cairo-devel pango-devel freetype-devel gd-devel<br /> <br /> cd /usr/local/src/<br /> wget http://sourceforge.net/projects/gnuplot/files/gnuplot/4.4.2/gnuplot-4.4.2.tar.gz/download<br /> tar xzf gnuplot-4.4.2.tar.gz <br /> cd gnuplot-4.4.2<br /> less INSTALL<br /> <br /> # start compiling. I usually install self-compiled stuff at /opt/[PKG-NAME]<br /> ./configure --prefix=/opt/gnuplot442<br /> make<br /> # make sure the shipped version of gnuplot is removed (this is probably not necessary but prevents version mix-up)<br /> yum remove gnuplot<br /> make install<br /> <br /> # you might want to add a symlink<br /> ln -s /opt/gnuplot442/bin/gnuplot /usr/bin/gnuplot<br /> </pre> Wed, 01 Dec 2010 19:25:00 +0100 http://blog.cj2s.de/archives/19-guid.html