APNIC elearning: Reverse DNS for IPv4 and IPv6

APNIC elearning: Reverse DNS for IPv4 and IPv6 06 OCT 2015 11:00 AM AEST Brisbane (UTC+10) Issue Date: 07 July 2015 Revision: 2.0 Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6 DNS/DNSSEC Internet Resource Mgmt Reminder: Please take time to fill-up the survey 2 1

Overview What is Reverse DNS? Principles of DNS Tree Creating Reverse Zones PTR Records IPv6 Reverse Lookups Managing Reverse DNS Reverse Delegation Procedures Whois Domain Objects 3 What is Reverse DNS? Forward DNS maps names to numbers svc00.apnic.net è202.12.28.131 Reverse DNS maps numbers to names 202.12.28.131 è svc00.apnic.net 4 2

Uses of Reverse DNS Service denial That only allow access when fully reverse delegated eg. anonymous ftp Diagnostics Assisting in network troubleshooting (ex: traceroute) Spam identifications Reverse lookup to confirm the source of the email Failed lookup adds to an email s spam score 5 Reverse DNS Tree Root. Mapping numbers to names - reverse DNS net org com arpa apnic iana in-addr whois www training www 202 203 204 210 64 22 22.64.202.in-addr.arpa. ws1 ws2 6 3

Reverse DNS Tree with IPv6 Root. net org com arpa apnic iana in-addr int ip6 RFC 3152 202 203 IPv6 addresses 64 22 7 Creating Reverse Zones Same as creating a forward zone file SOA and initial NS records are the same as forward zone Create additional PTR records In addition to the forward zone files, you need the reverse zone files Ex: for a reverse zone on a 203.176.189.0/24 block, create a zone file and name it as db.203.176.189 (make it descriptive) 8 4

Start of Authority (SOA) record Domain_name. CLASS SOA hostname.domain.name. mailbox.domain.name ( Serial Number Refresh Retry Expire Minimum TTL ) Serial Number must be updated if any changes are made in the zone file Refresh how often a secondary will poll the primary server to see if the serial number for the zone has increased Retry - If a secondary was unable to contact the primary at the last refresh, wait the retry value before trying again Expire - How long a secondary will still treat its copy of the zone data as valid if it can't contact the primary. Minimum TTL - The default TTL (time-to-live) for resource records 9 TTL Time Values The right value depends on your domain Recommended time values for TLD (based on RFC 1912) Refresh 86400 (24h) Retry 7200 (2h) Expire 2592000 (30d) Min TTL 345600 (4d) For other servers optimize the values based on Frequency of changes Required speed of propagation Reachability of the primary server (and many others) 10 5

Pointer (PTR) Records Create pointer (PTR) records for each IP address 131.28.12.202.in-addr.arpa. IN PTR svc00.apnic.net. or 131 IN PTR svc00.apnic.net. 11 IPv6 Reverse Lookups PTR records Similar to the IPv4 reverse record b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa. IN PTR test.ip6.example.com. Example: reverse name lookup for a host with address 3ffe: 8050:201:1860:42::1 $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com. 12 6

Reverse Zone Example $ORIGIN 1.168.192.in-addr.arpa. @ 3600 IN SOA test.company.org. ( sys\.admin.company.org. 2002021301 ; serial 1h ; refresh 30M ; retry 1W ; expiry 3600 ) ; neg. answ. ttl NS ns.company.org. NS ns2.company.org. 1 PTR gw.company.org. router.company.org. 2 PTR ns.company.org. ;auto generate: 65 PTR host65.company.org $GENERATE 65-127 $ PTR host$.company.org. 13 Managing Reverse DNS APNIC manages reverse delegation for both IPv4 and IPv6 Before you register your domain objects, you need to ensure that your reverse zones have been configured and loaded in your DNS name servers. APNIC does not host your DNS name servers or configure your reverse zone files. APNIC only delegates the authority of your reverse zones to the DNS name servers you provide through your domain objects. 14 7

Reverse Delegation Requirements /24 Delegations Address blocks should be delegated At least one name server /16 Delegations Same as /24 delegations APNIC delegates entire zone to member < /24 Delegations Not supported in the RIR level Read classless in-addr.arpa delegation RFC 2317 15 Reverse Delegation Procedures Create a whois object for the reverse zone This can be done in MyAPNIC Verify nameserver and domain set up before submitting to the database Provide the FQDN of two nameservers Provide the maintainer password Used to protect objects 16 8

APNIC & LIR Responsibilities APNIC Manage reverse delegations of address block distributed by APNIC Process requests for reverse delegation of network allocations LIR and members Be familiar with APNIC procedures Ensure that addresses are reverse-mapped Maintain nameservers for allocations Keep accurate records in the database 17 Reverse Delegation Procedures Resources > IPv4 / IPv6 > Bulk reverse delegations Input your IP address block here At least one DNS server (FQDN) Maintainer password 18 9

Whois domain object Reverse Zone 28.12.202.in-addr.arpa in-addr.arpa zone for 28.12.202.in-addr.arpa NO4-AP AIC1-AP Contacts NO4-AP cumin.apnic.net tinnie.apnic.net Nameservers tinnie.arin.net MAINT-APNIC-AP Maintainers domain: Descr: admin-c: tech-c: zone-c: nserver: nserver: nserver: mnt-by: mnt-lower: MAINT-AP-DNS changed: inaddr@apnic.net 20021023 changed: inaddr@apnic.net 20040109 changed: hm-changed@apnic.net 20091007 changed: hm-changed@apnic.net 20111208 source: APNIC 19 APNIC Helpdesk Chat 20 10

Questions Please remember to fill out the feedback form https://www.surveymonkey.com/r/ apnic-20151007-el1 Slide handouts will be available after completing the survey 21 Thank You! END OF SESSION 22 11