反向解析域是怎么授权的

網中人

哦, 感謝感謝!  ^_^

netocool

How Reverse DNS Works
or, "Almost a Reverse DNS FAQ"
Reverse DNS turns an IP address into a hostname -- for example, it might turn 192.0.2.25 into host.example.com.
For your domains, standard DNS (turning a hostname into an IP address, such turning host.example.com into 192.0.2.25) starts with the company (registrar) that you registered your domains with. You let them know what DNS servers are responsible for your domain names, and the registrar sends this information to the root servers (technically, the parent servers for your TLD). Then, anyone in the world can access your domains, and you can send them to any IP addresses you want. You have full control over your domains, and can send people to any IPs (whether or not you have control over those IPs, although you should have permission to send them to IPs that are not yours).

Reverse DNS works in a similar method. For your IPs, reverse DNS (turning 192.0.2.25 back into host.example.com) starts with your ISP (or whoever told you what your IP addresses are). You let them know what DNS servers are responsible for the reverse DNS entries for your IPs (or, they can enter the reverse DNS entries on their DNS servers), and your ISP gives this information out when their DNS servers get queried for your reverse DNS entries. Then, anyone in the world can look up the reverse DNS entries for your IPs, and you can return any hostnames you want (whether or not you have control over those domains, although you should have permission to point them to hostnames that are not on your domains).

So for both standard DNS and reverse DNS, there are two steps: [1] You need DNS servers, and [2] You need to tell the right company (your registrar for standard DNS lookups, or your ISP for reverse DNS lookups) where your DNS servers are located. Without Step 2, nobody will be able to reach your DNS servers.

If you can comprehend the above paragraphs (which takes some time), you'll understand the biggest problem that people have with reverse DNS entries. The biggest problem people have is that they have DNS servers that work fine with their domains (standard DNS), they add reverse DNS entries to those servers, and it doesn't work. If you understand the above paragraphs, you'll see the problem: If your ISP doesn't know that you have DNS servers to handle the reverse DNS for your IPs, they won't send that information to the root servers, and nobody will even get to your DNS servers for reverse DNS looksups.

Basic Concepts:

Reverse DNS turns 192.0.2.25 into host.example.com (an IP address into a host name).
Typical reverse DNS lookup path: DNS resolver =>; root servers =>; ARIN (North American IP registry) =>; Local ISP =>; Acme Inc. DNS servers.
Whoever supplies your IP addresses (usually your ISP) MUST either [1] set up your reverse DNS entries on their DNS servers, or [2] "delegate authority" for your reverse DNS entries to your DNS servers.
Reverse DNS entries use a host name with a reversed IP address with ".in-addr.arpa" added to it -- for example, "25.2.0.192.in-addr.arpa".
Reverse DNS entries are set up with PTR records (whereas standard DNS uses A records), which look like "25.2.0.192.in-addr.arpa. PTR host.example.com" (whereas standard DNS would look like "host.example.com. A 192.0.2.25".
All Internet hosts should have a reverse DNS entry (see RFC1912 section 2.1).
Mail servers with no reverse DNS will have a hard time getting mail to certain large ISPs.
Very Common Myth:
Myth: If you have a reverse DNS entry listed in your DNS server, you have reverse DNS properly set up.
Fact: This is often not the case. You need TWO things in order to have your DNS set up properly:
1. Your DNS servers (or your ISP's) MUST have the reverse DNS entries set up ("25.2.0.192.in-addr.arpa. PTR host.example.com".
2. AND your ISP or bandwidth provider MUST set up the reverse DNS on their end, so that DNS resolvers around the world will know that your DNS servers are the ones to go to when looking up the reverse DNS for your IP addresses.
How a reverse DNS lookup is accomplished:
The DNS resolver reverses the IP, and adds it to ".in-addr.arpa", turning 192.0.2.25 into 25.2.0.192.in-addr.arpa.
The DNS resolver then looks up the PTR record for 25.2.0.192.in-addr.arpa.
The DNS resolver checks asks the root servers for the PTR record for 25.2.0.192.in-addr.arpa.
The root servers refer the DNS resolver to the DNS servers in charge of the Class A range (192.in-addr.arpa, which covers all IPs that begin with 192).
In almost all cases, the root servers will refer the DNS resolver to a "RIR" ("Regional Internet Registry". These are the organizations that allocate IPs. In general, ARIN handles North American IPs, APNIC handles Asian-Pacific IPs, and RIPE handles European IPs.


The DNS resolver will ask the ARIN DNS servers for the PTR record for 25.2.0.192.in-addr.arpa.
The ARIN DNS servers will refer the DNS resolver to the DNS servers of the organization that was originally given the IP range. These are usually the DNS servers of your ISP, or their bandwidth provider.


The DNS resolver will ask the ISP's DNS servers for the PTR record for 25.0.2.192.in-addr.arpa.
The ISP's DNS servers will refer the DNS resolver to the organization's DNS servers.


The DNS resolver will ask the organization's DNS servers for the PTR record for 25.0.2.192.in-addr.arpa.
The organization's DNS servers will respond with "host.example.com".

網中人

>; Typical reverse DNS lookup path: DNS resolver =>; root servers =>; ARIN (North American IP registry) =>; Local ISP =>; Acme Inc. DNS servers.

上一句有一點小問題:
resolver 並不能向 root 查詢,
resolver 只是 client 端的一個 program ,
然後向其指定的 dns server 提出 question section,
若 server 在其 zone db 或 cache 中有 answer, 就直接回應...
否則, 再看是否開啟 recursion ?
若然, 才從 root server 或已存於 cache 中的下游 ns 做查詢.

關於 resolver 與 name server 的差別,
小弟之前也犯了同樣的錯誤, 也是來 CU 跟大家討論後才得以糾正的.
希望我的經驗可讓大家節省一些學習成本...  ^_^

abel

netocool   兄,如果您時間可以,建議您將本帖來回讀個3~5 次
增加自己的印象,及想想裏面的文字含意,你定會有更深刻的體會的
不要只看文字的表面

1. 
   
2. i=1;
   
3. while [ $i -le 255 ];
   
4. do
   
5.         dig -x 202.103.166.$i| grep "^$i.166.";i=`expr $i + 1`;
   
6. done
   
7. 
   
8. result:
   
9. 153.166.103.202.in-addr.arpa. 83908 IN  PTR     dns.sipix.com.cn.
   
10. 154.166.103.202.in-addr.arpa. 83910 IN  PTR     mail.sipix.com.cn.
    
11. 155.166.103.202.in-addr.arpa. 83911 IN  PTR     dns2.sipix.com.cn.
    
12. 156.166.103.202.in-addr.arpa. 83911 IN  PTR     nat.sipix.com.cn.
    

复制代码

所以這個 Class C 部份,根本沒有做自己的域反解,
還幫 153-156 做了反解,

但是申请解除需要我的IP做reverse DNS,但是电信局说他们不能对我的IP做反向域名解析,说他们只可以对他们本域做反向域名解析,我就不明白了,既然我的IP是从那里申请的,难道我的IP不是在他们的域内吗?

你的 ISP 應不是用這個域吧...拿這點去打死他們

至於

只可以对他们本域做反向域名解析

如果他們的域為 ggyy_isp.net.cn 好了,也就是他們理論上會將所有
IP 的反解設成 IP.ggyy_isp.net.cn , 然後在一些 server 上可能
Allow ggyy_isp.net.cn , 而不會寫成 IP (因為 IP 太破碎)
不過從上面的測試,也可以看出來跟本沒有做自己的域反解

我只能說,你們的 ISP 在 "騙肖A" (台灣話,騙人,裝傻之意) ,
根本和自己說的不合,自己都沒做自己的域解析,但也幫別的 domain
做了解析,沒有什麼理由不幫你們做吧 ..

PS1: 其實這一篇若你有仔細看前面我寫的那一大片,並且用心體會,您根本
就不用發帖,我也用不著回的. 還有,你的ISP 犯了和 pku 類似的錯誤,
不過不苛責了,至少他們有從 APNIC 拿到反解授權,相對於別人是非常好的

PS2: 若你能說動 ISP 幫你做反解,請他們用 CNAME 指給你,而不要用 PTR 直接設,以後你就可以自己改了

wind521

真的比较精彩，学习到了不少的东东

阿骁

建议 netman 斑竹加精！ 今天又看了一次（没看到置顶，找了半天），又有一些收获！abel 兄研究 dns 真是透彻！

carelezz

原帖由 "abel" 发表：
可以發現, nameserver IP 當 retry N 次後 (這個 N 就是您提的那個#define .... 2) ,
會換下一個 nameserver,下一個再試 N 次,最大失敗數就是 N x Nameserver 數了.
能夠成功將查詢送到 nameserver 即完成了 Resol..........

看了这个帖子收益匪浅
有一点需要和Able兄商榷

resolv.conf 這裏面定義了
nameserver IP1
nameserver IP2

何時取用 IP1 或 IP2 這個問題 ,或如何取用

我认为解析器会首先查询IP1，当IP1超时，或者网络出错，
他将转而查询IP2，如果IP2也超时，解析器会从IP1开始第二轮查询
如果第二轮也失败，解析器便不会再试。

可以做个实验
在resolv.conf定义两个非dns服务器的IP
然后用dig查询打开d2选项
我的环境是freebsd 4.10

1. 
   
2. carelezz@cs@/home/carelezz: dig xxx.com +d2
   
3. 
   
4. ; <<>;>; DiG 8.3 <<>;>; xxx.com +d2
   
5. ;; res_nmkquery(QUERY, xxx.com, IN, A)
   
6. ;; res options: init debug recurs defnam dnsrch ?0x80000000?
   
7. ;; res_send()
   
8. ;; ->;>;HEADER<<- opcode: QUERY, status: NOERROR, id: 2313
   
9. ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
   
10. ;; QUERY SECTION:
    
11. ;;      xxx.com, type = A, class = IN
    
12. 
    
13. ;; Querying server (# 1) address = IP1
    
14. ;; new DG socket
    
15. ;; timeout
    
16. ;; Querying server (# 2) address = IP2
    
17. ;; new DG socket
    
18. res_send: recvfrom: Connection refused
    
19. ;; Querying server (# 1) address = IP1
    
20. ;; new DG socket
    
21. ;; timeout
    
22. ;; Querying server (# 2) address = IP2
    
23. ;; new DG socket
    
24. res_send: recvfrom: Connection refused
    
25. 
    

复制代码

abel

1. /*
   
2.          * Send request, RETRY times, or until successful.
   
3.          */
   
4.         for (try = 0; try < statp->;retry; try++) {
   
5.             for (ns = 0; ns < statp->;nscount; ns++) {

复制代码

呀~是的,您講得沒錯,我沒有看仔細,
上面這段 code 就是從 res_send 中拿出來的,
先做 ns , 再做 retry 沒有錯.
感謝 carelezz 兄的指正

網中人

是的, 同意 carelezz  兄的說法.

我這裡補充一下查詢時的 timeout 計算方式:
* 第一輪為 5 秒一次，逐台輪詢。
* 若第一輪失敗，則進入第二輪：將第一輪 time-out 乘以 2 倍，並除以台數。
* 若第二輪失敗，則進入第三輪：將第一輪 time-out 乘以 4 倍，並除以台數。
因此，若所有 nameserver 均連不上的話，如下是你的等待時間：
* 一台：首輪5秒，二輪10秒 (5*2/1)，三輪20秒(5*4/1)，加總為35秒。
* 兩台：首輪每台5秒共10 秒，二輪每台5 秒(5*2/2)共10秒，三輪每台10秒(5*4/2)共20秒，加總為40秒。
* 三台：首輪每台5秒共15秒，二輪每台3秒(5*2/3，取整數)共9秒，三輪每台6秒(5*4/3，取整數)共18秒，加總為42秒。

(一時忘了資料來源, 好像是 O'Reilly 的 DNS & Bind ? 有空再查一下好了.)

carelezz

Able兄，不客气
我管理单位的DNS服务器，原来认为DNS很简单
看了您的帖子，才知其实大有学问，以后要向您多请教
其实对我触动最大的是您的治学态度
我以后也要沉静下来扎扎实实做些功课
以前太浮躁了

--