#1
  1. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Generic DNS references and tips


    This thread is dedicated to non-server specific information. My goal here is to provide access to everything I know concerning DNS.

    Post Index:

    --RFC References
    The RFC is where everything begins. Protocols and internet practices for example are proposed and standardized in RFC's. This post gives you a list of DNS related RFC's. It is an ongoing post up for constant modifications.

    --RDNS (Reverse DNS)
    What is it, how does it work, why does that mail server not accept emails from your server?

    --Does Dynamic IPs really stop you from hosting your own dns server?
    This informative article describes the difficulties that involve hosting dns servers on dynamic IPs as well as give a good description of how domains are resolved on the internet.

    --Fighting DoS attacks with the domain name system
    This article describes one form that DoS attacks take and how to stop it at the DNS server. It goes into specifics on how to configure BIND to do this.

    --Fighting spam with SPF records
    This article teaches you how SPF records work, and how to create them in an easy to understand tutorial. For full information on SFP visit the spf.pobox.com website.

    --Getting a custom hostname on IRC via IPv6
    This article describes the general technique and references for further information on setting up IPv6 tunneling. Not only will you be able to connect to hosts on the IPv6 internet, but you can have a custom hostname to show off on IPv6 IRC servers.

    --Classless delegation of reverse dns
    This article explains how you can delegate a custom range of IP addresses to another dns server. It also discusses BIND's non-standard $GENERATE zone file format extension.
    Last edited by SilentRage; October 2nd, 2005 at 03:32 AM. Reason: Added: Classless delegation of reverse dns
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  2. #2
  3. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    RFC References


    Topic Index
    The abridged list of RFC references to help you find what you're looking for.

    -- DNS: Domain Name System
    RFC 1034 - How it works
    RFC 1912 - Common DNS Operational and Configuration Errors
    RFC 2181 - Clarifications to the DNS Specification
    ^^^^^^- Section 10.1: When you should NOT use the CNAME record
    RFC 2308 - DNS NCACHE: Caching of negative responses
    RFC 2317 - Classless IN-ADDR.ARPA delegation
    RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
    RFC 3597 - Handling of Unknown DNS Record Types

    -- EDNS: Extending the Domain Name System
    RFC 2671 - Extension Mechanisms for DNS (EDNS0)
    RFC 3225 - Indicating Resolver Support of DNSSEC
    RFC 3226 - DNSSEC and A6 message size requirements

    -- DNSSEC: Securing the Domain Name System
    RFC 3833 - Threat Analysis of the Domain Name System (DNS)
    RFC 4033 - DNS Security Introduction and Requirements
    RFC 4034 - Resource Records for the DNS Security Extensions
    RFC 4035 - Protocol Modifications for the DNS Security Extensions
    RFC 2931 - Request and Transaction Signatures (SIG(0)s)
    RFC 3007 - Secure DNS Dynamic Update
    RFC 3225 - Indicating Resolver Support of DNSSEC

    -- DNSSEC: Algorithms used in the Domain Name System
    RFC 1321 - MD5
    RFC 2104 - HMAC
    RFC 2537 - RSA/MD5
    RFC 2539 - Diffie-Hellman
    RFC 2536 - DSA/SHA-1
    RFC 3110 - RSA/SHA-1
    RFC 3548 - The Base16, Base32, and Base64 Data Encodings

    -- DNS RECORD: Master file format (if applicable) and protocol specification
    RFC 1035 - A, NS, CNAME, SOA, MB, MG, MR, WKS, PTR, HINFO, MINFO, MX, TXT, AXFR, ANY
    RFC 1183 - RP, ISDN, AFSDB, X25, RT
    RFC 1876 - LOC
    RFC 2782 - SRV
    RFC 2915 - NAPTR
    RFC 2930 - TKEY
    RFC - SPF over TXT

    -- DNS NOTIFY: Updating slaves with master zone changes instantly
    RFC 1996 - How it works and protocol specification

    -- DNS UPDATE: The DNS protocol solution to dynamic DNS
    RFC 2136 - How it works and protocol specification
    RFC 2137 - Securing Dynamic DNS (out-of-date, but I found it very helpful)
    RFC 3007 - Securing Dynamic DNS: the DNSSEC update
    RFC 2845 - TSIG protocol specification (See: DNSSEC: Algorithms)

    -- DNS & IPv6: A6 or AAAA? nibble or bitstring format?
    RFC 3596 - AAAA solution for domain to IPv6 resolution
    RFC 2874 - A6 solution for domain to IPv6 resolution
    RFC 2673 - Bitstring format specification for IPv6 to domain resolution
    RFC 3152 - Nibble format specification for IPv6 to domain resolution
    RFC 3363 - Deprecation of A6 and Bitstring
    RFC 3364 - Pros and Cons in the still hot debate on how to do forward and reverse IPv6 resolution

    -- DNS & ENUM (Original Standard)
    RFC 2915 - The Naming Authority Pointer (NAPTR) DNS Resource Record
    RFC 2916 - E.164 number and DNS

    -- DNS & ENUM (Current Standard)
    RFC 3401 - Dynamic Delegation Discovery System (DDDS) Part One: The Comprehensive DDDS
    RFC 3402 - Dynamic Delegation Discovery System (DDDS) Part Two: The Algorithm
    RFC 3403 - Dynamic Delegation Discovery System (DDDS) Part Three: The DNS Database
    RFC 3404 - Dynamic Delegation Discovery System (DDDS) Part Four: The Uniform Resource Identifiers (URI)
    RFC 3405 - Dynamic Delegation Discovery System (DDDS) Part Five: URI.ARPA Assignment Procedures
    RFC 3761 - The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)

    Title Index
    The unabridged up-to-date RFC reference list. Obsoleted RFC's are not mentioned.

    RFC 1032 - Domain Administrators Guide
    RFC 1033 - Domain Administrators Operations Guide
    RFC 1034 - Domain Names - Concepts and Facilities
    RFC 1035 - Domain Names - Implementation and Specification
    RFC 1912 - Common DNS Operational and Configuration Errors
    RFC 1995 - Incremental Zone Transfer
    RFC 1996 - A Mechanism for Prompt Notification of Zone Changes
    RFC 2136 - Dynamic Updates in the DNS
    RFC 2181 - Clarifications to the DNS Specification
    RFC 2308 - Negative Caching of DNS Queries
    RFC 2317 - Classless IN-ADDR.ARPA delegation
    RFC 2536 - DSA KEYs and SIGs in the DNS
    RFC 2539 - Storage of Diffie-Hellman Keys in the DNS
    RFC 2671 - Extension Mechanisms for DNS (EDNS0)
    RFC 2673 - Binary Labels in the DNS
    RFC 2845 - Secret Key Transaction Authentication for DNS
    RFC 2874 - DNS Extensions to Support IPv6 Address Aggregation and Renumbering
    RFC 2930 - Secret Key Establishment for DNS
    RFC 2931 - Request and Transaction Signatures (SIG(0)s)
    RFC 3007 - Secure DNS Dynamic Update
    RFC 3110 - RSA/SHA-1 SIGs and RSA KEYs in the DNS
    RFC 3152 - Delegation of IP6.ARPA
    RFC 3225 - Indicating Resolver Support of DNSSEC
    RFC 3226 - DNSSEC and A6 message size requirements
    RFC 3263 - Session Initiation Protocol: Locating SIP Servers
    RFC 3363 - Representing Internet Protocol version 6 Addresses in the DNS
    RFC 3364 - Tradeoffs in DNS Support for Internet Protocol version 6
    RFC 3403 - Dynamic Delegation Discovery System (DDDS) Part Three: The DNS Database (DS)
    RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
    RFC 3596 - DNS Extensions to Support IP Version 6
    RFC 3597 - Handling of Unknown DNS Record Types
    RFC 3761 - The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)
    RFC 3833 - Threat Analysis of the Domain Name System (DNS)
    RFC 4025 - A Method for Storing IPsec Keying Material in DNS
    RFC 4033 - DNS Security Introduction and Requirements
    RFC 4034 - Resource Records for the DNS Security Extensions
    RFC 4035 - Protocol Modifications for the DNS Security Extensions
    Last edited by SilentRage; September 18th, 2005 at 06:42 PM. Reason: Added IDNA rfc 3490
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  4. #3
  5. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    RDNS (Reverse DNS)


    Some of you may be wondering what it is, how it works, or why you even need to know about it. Sometimes mail servers will reject your email with some cryptic error about RDNS or reverse dns. When making a nslookup on your name server it may whine about not finding the server name. Well here it is all explained as well as how to make it work for you.

    What is Reverse DNS
    Very simple concept. Normally you resolve domains to IP addresses. Reverse DNS is resolving IPs to domains.

    How does Reverse DNS work?
    Since the domain name system is domain based, the IP has to be converted to a special domain. This is also where the 'reverse' comes from. You actually reverse the IP and append a special domain root. To resolve 127.0.0.1 to an IP address it must first be converted to 1.0.0.127.in-addr.arpa. Then that special domain can be queried in the domain name system in the same way a normal domain is queried. The only difference is that instead of recieving 'A' record(s) pointing to IP address(es), you get 'PTR' record(s) pointing to domain(s).

    What is RDNS?
    RDNS as a term is more than just reverse dns. It is a technique; a means by which you verify that a given domain is valid in the domain name system. In a perfect world, all valid domains would resolve to IP addresses that resolve back to the original domain. Mail servers do this to try to hold back the wave of spam. The theory is, they aren't getting mail from a proper mail server if that mail server's IP doesn't resolve to the sending mail server's domain. So people who don't setup proper reverse dns for their mail server IP will have trouble sending mail from their server.

    How do I make it work?
    There's a couple of ways. First of all, where did you get your IP? Is it a static IP given to you by your ISP or is it an IP on a dedicated server that you've leased? Was the IP granted to you by your school or the company you work for? Whichever it may be, that is the agency that is most likely responsible for what that IP resolves to. So feel free to contact them about having your IP resolve to the name of your mail server. There's also a more authoritative way to find out exactly what server is in charge of resolving that IP. Query the domain name system. Here's an example for my dedicated server IP using DNS Crawler. I entered the IP in the 'name' field and pressed "Reverse IP" to automatically format it.

    dig -x 216.117.186.93

    Take special note of the 'authority' section. It appears the domain is hosted on the following servers:

    ns0.aitcom.net
    ns1.aitcom.net
    ns2.aitcom.net

    Since I got my dedicated server from AIT it's a good bet that they are the people I need to talk to to get my IP resolving to my mail server domain. When I sent them the email, I described both options that they have for helping me.

    #1: Delegate resolution for that IP to my dedicated server. That way I setup a reverse IP zone for that IP and have it resolve to whatever I want.

    #2: They edit their dns server configuration and change the resolution from "nameservices.net" to "mail.dollardns.net". This is the option that they chose. I didn't really care either way.

    How do I make sure it works?
    Well, this is what I would do using DNS Crawler. First you start out with a blank slate, enter 'mail.dollardns.net' (or whatever your mail server is called) and press 'Submit Query'.

    dig mail.dollardns.net

    And it resolved to an IP just nicely. Now click on that IP to see what it resolves to.

    dig -x 216.117.186.93

    And it resolved back to mail.dollardns.net. Just for humor's sake, let's click on 'mail.dollardns.net'.

    dig mail.dollardns.net any

    And we're back where we're started. That is how things are supposed to work. Mail servers have nothing to complain about as long as they don't specifically block your mail server.

    How do I make sure sending mail from my server isn't rejected?

    1) Configure the mail server to announce itself as the correct mail server domain.
    2) Make sure your mail server domain resolves to your mail server IP.
    3) Make sure your mail server IP resolves to your mail server domain.

    MX records can point to any domain you want as long as the domain points to your mail server's IP.
    Last edited by SilentRage; June 19th, 2004 at 12:21 AM.
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  6. #4
  7. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Does dynamic IPs really stop you from hosting your own dns server?


    The beginning of domain resolution is the root. All DNS servers come with a statically defined reference to these root dns servers. The reference includes domains and IPs so that the root servers themselves don't need to be resolved. You just communicate with them by IP and figure out what other domains resolve to.

    The root servers

    The root servers don't actually know anything about specific domains however. But they DO take a look at what TLD your domain ends with and will tell you where to look for more information on your query. In the below example, the root servers determine that you queried a "NET" domain and gives you the list of "NET" servers you can ask about the domain.

    Querying the root for www.dollardns.net's IP

    This is where the registration information kicks in. Querying one of the registry servers for your domain TLD gives the list of dns servers you configured at your registrar.

    Querying .NET registry name server for www.dollardns.net's IP

    So there you have it. See those IPs assigned to those dns server domains in the additional section? But what if that was a dynamic IP that changed? The only way to update the information above is by changing the information at my registrar. And how long does it take for the changes to get from their webpage to the registry dns servers? Very little time actually; usually less than 5 minutes. What about those resolvers who cached your old IP for a couple days? If your IP changes once a week, that spells out about 5 days online a week for frequent or unlucky customers. That's sick. That's almost 8 days you're offline a month. That's why I say if your IP changes more than once a month, then the downtime is unnacceptable. You shouldn't host your own dns server all by yourself. There are special solutions for being able to host your own server on a frequently changing IP, but services like dyndns.org isn't going to be able to provide them.

    So in conclusion, you can't host a dns server on a dynamic IP that changes more than once a month without serious downtimes. However, if you were to use a delegation service on a static IP dns server, you could make it happen.
    Last edited by SilentRage; March 11th, 2005 at 11:20 AM. Reason: Updated some obsolete references
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  8. #5
  9. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Fighting DoS attacks with the domain name system


    Background

    One of the most common forms of DoS (Denial of Service) attacks is a hacker or kiddie commanding a fleet of computers to flood a victim with traffic. It doesn't matter if the port that's being targetted is opened or closed, the idea is that the computer or gateway will be so flooded with traffic that it won't be able to handle the load, and normal traffic will slow down drastically or even halt.

    A hacker accomplishes this via a couple of methods. One of the most common is scanning the internet for exploitable computers and automatically breaking into them for later use. Another method seen in the past is a virus that automates that entire process with a time trigger to force all infected machines to flood the victim.

    Reguardless of the technique, one thing remains true. Your dns server can save you. Once an effective battle plan using your dns server is in place, protecting against DoS attacks is, depending on the circumstances, cheaper and more effective then filtering the traffic at a high bandwidth gateway or simply purchasing more bandwidth.

    Domain Attacks

    The most common attack is against a domain. Each computer drone resolves the domain and sends a flood of traffic to the resulting IP address. When the attack begins, this is what you need to do:

    If you have forwarning, set the TTL to 5 min or some other appropriately low value.

    1) Get a list of IPs from your dns server query logs that are doing domain resolution for the attackers.
    2a) Configure your dns server to not respond to those addresses. BIND supports this feature with the blackhole options configuration directive. OR...
    2b) Configure your domain to not allow queries from those addresses. BIND supports this feature with the allow-query zone configuration directive.

    At this point the DNS server will not give out IP information to those IP addresses. Any new domain resolution requests will fail and the computer won't be able to attack the machine.

    IP Attacks

    But what if they've already resolved the domain and are just flooding the IP? Or what if the attack was directed at the IP address in the first place?

    1) Change the IP address of your server. Either configure a different IP for the same machine, or have a mirrored backup server available on a network unaffected by the attack.
    2) Change the IP address that your domain resolves to on the server. Set it to a low TTL so that all further changes take effect more quickly until the crisis is over.

    At this point all normal traffic will be directed to the backup server while you wait for the flood against the primary to stop.

    Conclusion

    I host other people's domains, and once, I saw some massive query logs. Checking the logs I determined that one of my clients was going through a DoS attack. I checked my bandwidth and it was barely being used. Domain resolution takes very little traffic, so a dns server is quite capable of handling the indirect consequences of a DoS attack than the actual target.

    This technique is not a universal solution, but was designed and written to encourage you to consider the domain name system in DoS defense. There's room for creativity, for example, it doesn't HAVE to be the dns server that filters the DNS traffic. Filter the DNS traffic at the gateway to keep the dns server in optimal condition.
    Last edited by SilentRage; July 24th, 2004 at 04:04 PM.
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  10. #6
  11. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Fighting spam with SPF records


    Introduction

    There's all kinds of anti-spam techniques out there, and SPF is one of them. The theory behind it was inspired by a paper produced by the force behind BIND dns server "Paul Vixie". The theory is that there are already records (MX) that specify who to send mail to, you could also create records that specify who to expect mail from. With this information a server can verify that it recieved an email from a valid source. This stymies attempts by forgers to send mail from false aol.com addresses for example. This could be very important for protecting your reputation cause it would look very bad for people to get spam from your business email addresses!

    SPF is one of the growing standards that has taken that theory to heart. Already many major brands of email software support SPF records. Major organizations like Microsoft, Google, and AOL has placed their stamp of approval on SPF. You can do your part by denying forgers from using your domain to send mail by creating an SPF record.

    How it works

    Here's some details about an example on how joe tried to send a forged spam email. (note: all information is fictious except dollardns.net really does implement SPF protection and AOL really does implement SPF verification)

    1) joe's IP is 127.0.0.1
    2) From address: bob@dollardns.net
    3) To address: victim@aol.com

    Joe connects to the AOL mail server to try to send the forged email address. One of the first things joe sends is this line:

    MAIL FROM:<bob@dollardns.net>

    The mail server will then validate whether joe may send the email from that address. It will then perform this kind of query to the DollarDNS dns server:

    dig dollardns.net txt

    It will then take joe's IP (127.0.0.1) and see if it matches one of the terms in the SPF record. But they don't, the ip4 terms says that only 216.117.186.93 and 216.117.174.208 may send mail from dollardns.net email addresses. Upon failing the match, the "-all" term says to drop the email cause it must be spam. The server gives a failure response to joe and refuses to deliver the email. Yes, that's right, the actual email body with whatever attachments is never downloaded, saving on bandwidth.

    How to create an SPF record

    The SPF format is described and a wizard for generating them is provided on the spf.pobox.com website. It's designed to be extremely flexible, and for this reason, can be confusing. So for the purposes of this tutorial, I'll pretend you have only 2 options (the 2 implementation strategies I personally prefer). First of all, you need to create a TXT record for your mail domain. If your mail domain is example.com, then you create the following record:

    example.com. TXT "v=spf1 -all"

    IP Based Validation

    The DollarDNS SPF record you saw above is an example of IP based validation. Basically I provided a list of mail server IPs that is allowed to send mail from email addresses using the dollardns.net domain. You can have 1 to however many IPs you want. You may even use subnet ranges using CIDR notation as shown in the AOL example below:

    dig aol.com txt

    So between the DollarDNS and AOL examples, you should now know how to use IP based validation in your SPF records.

    MX based validation

    This is a one size fits all solution for the many who use the same server to send and recieve mail for a given domain. You don't need to hardcode IP addresses or domains who are permitted to send mail for your mail domain. All you do is specify an SPF record like this:

    example.com. TXT "v=spf1 mx -all"

    This means the domains listed in all of your MX records are permitted to send mail for *@example.com as well.

    Other examples:

    dig gmail.com txt
    dig dnsreport.com txt
    dig hushmail.com txt
    Last edited by SilentRage; December 1st, 2004 at 01:26 PM. Reason: No, you don't spell stymies as stimies
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  12. #7
  13. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Getting a custom hostname on IRC via IPv6


    You need 4 things to do what you want to do.

    1) Tunnel brokers make it possible for you to get an IPv6 block of IP addresses, and connect to hosts on the IPv6 internet. As far as I know, this service can be had for free.

    IPv6 Tunnel Brokers:
    http://www.hexago.com
    http://www.btexact.com
    http://www.xs26.net
    http://www.ipv6.sics.se
    Google on free ipv6 bunnel broker

    2) Reverse IPv6 dns hosting

    http://www.dollardns.net
    http://freedns.afraid.org

    3) Tools to test your IPv6 configuration.

    Test IPv6 connectivity and dns configuration
    http://www.ipv6tools.com

    Test IPv6 dns configuration, not a simple test tool for IPv6 DNS neophytes
    DNS Crawler

    4) IPv6 IRC servers

    http://www.efnet.org/?module=servers
    http://linuxreviews.org/software/irc/ipv6servers/#toc1
    Last edited by SilentRage; March 11th, 2005 at 11:27 AM.
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  14. #8
  15. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173

    Classless delegation of reverse dns


    Ok, so you have a block of IP addresses and you want to delegate a subnet to another company's/department's/individual's dns server so that they can have direct control over their reverse dns. Now, if you were giving away control over an entire class D network it would be simple. For example if your full block is "127.0.0.0/16" and you wanted to give control over "127.0.1.0/24" to ns.example.com you would add this record to your "0.127.in-addr.arpa" zone file.

    1.0.127.in-addr.arpa. NS ns.example.com.

    At that point all 127.0.1.* reverse dns queries would be delegated to that server. But, you can't hand out too many of those class D networks before you completely run out of IP space. In your router you may have routed a much smaller subnet to the identity who needs these IPs, suredly there's some way to do the same with your dns server? There's no easy solution no, but there are workarounds available. For example let's say we are giving control over "127.0.1.2/31" to ns.example.com. We could do something like this:

    2.1.0.127.in-addr.arpa. NS ns.example.com.
    3.1.0.127.in-addr.arpa. NS ns.example.com.

    This would work perfectly fine, but what if there was more than one dns server you wanted to delegate to for redundancy? What if the subnet was something huge like /22? You would have to add a couple thousand records per dns server! Well, you can use CNAME records to reduce this a bit. Having more than one dns server will only involve 1 more record in your zone file. Take this for example:

    31/2.1.0.127.in-addr.arpa. NS ns1.example.com.
    31/2.1.0.127.in-addr.arpa. NS ns2.example.com.
    2.1.0.127.in-addr.arpa. CNAME 2.31/2.1.0.127.in-addr.arpa.
    3.1.0.127.in-addr.arpa. CNAME 3.31/2.1.0.127.in-addr.arpa.

    In the above example we clearly define a subzone that is associated with the subnet. It gets delegated to as many NS records as you want. Then you cname all of the IP addresses within that subnet to the subzone with the last octet of the IP address prepended. Now, don't think there's anything special about that forward slash. We could do this instead:

    2-3.1.0.127.in-addr.arpa. NS ns1.example.com.
    2-3.1.0.127.in-addr.arpa. NS ns2.example.com.
    2.1.0.127.in-addr.arpa. CNAME 2.2-3.1.0.127.in-addr.arpa.
    3.1.0.127.in-addr.arpa. CNAME 3.2-3.1.0.127.in-addr.arpa.

    It all depends on what looks intuitive to you. Now, this solution makes it so that you only need 1 record per IP address regardless of how many dns servers you are delegating to. But you're still faced with adding a couple thousand records for a /22 subnet. This can't be helped since there is no automatic way of telling your dns server to delegate a classless subnet to another dns server. There is one exception, however. BIND has a non-standard zone file format extention that allows you to generate similar records using an incremented number. So let's take our 127.0.0.0/16 network and delegate 127.0.4.0/22 to our example dns servers.

    Code:
    22/0.4.0.127.in-addr.arpa.	NS	ns1.example.com.
    22/0.4.0.127.in-addr.arpa.	NS	ns2.example.com.
    $GENERATE 1-254 $.4.0.127.in-addr.arpa. CNAME $.4.22/0.4.0.127.in-addr.arpa.
    $GENERATE 1-254 $.5.0.127.in-addr.arpa. CNAME $.5.22/0.4.0.127.in-addr.arpa.
    $GENERATE 1-254 $.6.0.127.in-addr.arpa. CNAME $.6.22/0.4.0.127.in-addr.arpa.
    $GENERATE 1-254 $.7.0.127.in-addr.arpa. CNAME $.7.22/0.4.0.127.in-addr.arpa.
    In the above I defined 2 NS records to be authoritative over the 127.0.4.0/22 network. Then I added the $GENERATE records. These are exactly like normal records except they are prepended with a $GENERATE keyword followed by the range of numbers you want to act on. Then the alias before and the target after the CNAME type has a $ symbol to be used in place of each number within that range. I had 1 $GENERATE record per class C network that covered all the IP addresses ending with 1 through 254. Notice that the CNAME target's have the last 2 octets of the IP address prepended in reverse to the subnet name. I do this since the subnet is larger than /24 and smaller than /16.

    Here's another example using a 127.0.0.4/30 delegation: (results in 6 records in memory)

    Code:
    30/4.0.0.127.in-addr.arpa.	NS	ns1.example.com.
    30/4.0.0.127.in-addr.arpa.	NS	ns2.example.com.
    $GENERATE 4-7 $.0.0.127.in-addr.arpa. CNAME $.4.30/4.0.0.127.in-addr.arpa.
    Here's the same example without CNAME's: (results in 8 records in memory)

    Code:
    $GENERATE 4-7 $.0.0.127.in-addr.arpa. NS ns1.example.com.
    $GENERATE 4-7 $.0.0.127.in-addr.arpa. NS ns2.example.com.
    Please, if you still don't understand then let me know in the forum. I will use our discussion to make this tutorial easier to understand.

    Comments on this post

    • aitken325i agrees : Excellent. :)
    • benno32 agrees : good stuff!
    Last edited by SilentRage; January 29th, 2007 at 12:06 PM. Reason: After all this time I found a typo
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts

IMN logo majestic logo threadwatch logo seochat tools logo