[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

	Another tighter configuration provided the provider is using atleast
BIND8 is to add the following to their 158.36.203.IN-ADDR.ARPA zone

$ORIGIN 158.36.203.IN-ADDR.ARPA.
$GENERATE 113-127 $ CNAME $.113-127
$GENERATE 1-2 113-127 NS ns$.example.com.

	In this example the BIND8 server on the provider side will generate
two (2) NS records for ns1.example.com and ns2.example.com which would in
turn resolve to the DNS servers you would use for resolving. The first 
$GENERATE lines equivilent to Joey's suggestion but it delegates the
113- sub-zone to your NS server. I found this
sub-zone declaration easier than "net152" as it specifies exactly the IPs

	With this on the provider side of DNS you then just have to deal with
setting up the appropriate 113- zone on your DNS
server to respond properly to queries.

	Jeremy T. Bouse
	UnderGrid Network Services, LLC

Joey Hess was said to been seen saying:
> Daniel Stone wrote:
> > Here's where theory and practice come into play. I only have a small chunk
> > of 203.36.158.* (113-127, afaik), so how can you DNS-delegate that? At
> > least, if there is a way, Telstra haven't figured it out yet.
> This is actually quite doable, you just need to have a clued isp[1] who
> sets up a nifty little forwarding trick in the reverse DNS. Here's an
> exmple of how my old ISP did it:
>    net152                  ns      kitenet.net.
>    153                     cname   153.net152.200.144.198.in-addr.arpa.
>    154                     cname   154.net152.200.144.198.in-addr.arpa.
>    155                     cname   155.net152.200.144.198.in-addr.arpa.
>    156                     cname   156.net152.200.144.198.in-addr.arpa.
>    157                     cname   157.net152.200.144.198.in-addr.arpa.
>    158                     cname   158.net152.200.144.198.in-addr.arpa.
> I then had to set up a zone on my dns server (kitenet.net) called 
> net152.200.144.198.in-addr.arpa just like I would have for 
> 200.144.198.in-addr.arpa if I had had the whole class C.
> It abuses bind horribly, and takes a lot of cname records on the ISP's
> side,  but it works.
> -- 
> see shy jo, whose reverse DNS doesn't resolve properly right now, horrors!
> [1] Well, I've had 3 very good isp's out of ~15 total, and only one was
>     clued enough to know how to do it, so..
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

|Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC -  www.UnderGrid.net |
|        Public PGP/GPG fingerprint and location in headers of message        |
|     If received unsigned (without requesting as such) DO NOT trust it!      |
| undrgrid@UnderGrid.net  -  NIC Whois: JB5713  -  Jeremy.Bouse@UnderGrid.net |

Attachment: pgpnYreUEPBR8.pgp
Description: PGP signature

Reply to: