DNS discussion



  • Is there value in reverse lookup tables in typical networks?

    Correct me if I'm wrong, but I thought the primary purpose of the reverse table was as a verification that an IP is being used by a specific host.

    I suppose in a LANLess environment this can be useful, but is very useful in most normal Windows based LANs today?

    Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.

    So - Do most of you disable the client's ability to update DNS in Windows environments today?


  • Service Provider

    @Dashrender said in DNS discussion:

    So - Do most of you disable the client's ability to update DNS in Windows environments today?

    Why would you do that? Lookups by name are very useful.

    Bob called and said that Kathy's phone is not ringing right. You know Kathy is extension 1234 and when you configured the desk phones, you gave them all unique hostnames based on their extensions.

    So you pop a browser window and go to http://ext1234.ad.domain.local and look at her phone.

    How did that work? Because DHCP updated DNS.



  • @JaredBusch I think he's talking about Reverse DNS.



  • @JaredBusch What about in a static environment?


  • Service Provider

    @wirestyle22 said in DNS discussion:

    @JaredBusch What about in a static environment?

    Then it is a manual process just like everything else in a static environment.
    You simply make things like that part of the process.


  • Service Provider

    @dafyre said in DNS discussion:

    @JaredBusch I think he's talking about Reverse DNS.

    Yes. That is exactly what I am answering. The DHCP auto updating DNS for the reverse lookup.



  • @Dashrender said in DNS discussion:

    Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.

    So - Do most of you disable the client's ability to update DNS in Windows environments today?

    You missed my question JB... I'm asking if you disable the ability of the Clients, not DHCP, to update DNS.



  • @Dashrender said in DNS discussion:

    Is there value in reverse lookup tables in typical networks?

    Correct me if I'm wrong, but I thought the primary purpose of the reverse table was as a verification that an IP is being used by a specific host.

    I suppose in a LANLess environment this can be useful, but is very useful in most normal Windows based LANs today?

    Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.

    So - Do most of you disable the client's ability to update DNS in Windows environments today?

    I leave it on because if I run an ARP scan I can quickly just get the name from IP.

    Some things like RedHats Identity Management need the reverse mapping for replication.



  • If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?


  • Service Provider

    @Dashrender said in DNS discussion:

    If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?

    You don't get rid of it. You simply nuke all the data in it and then put clean data back in.

    In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.



  • @JaredBusch said in DNS discussion:

    @Dashrender said in DNS discussion:

    If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?

    You don't get rid of it. You simply nuke all the data in it and then put clean data back in.

    In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.

    Why add it back though? Other than doing nslookups by IP, what else uses it internally? I'm not aware of anything, but that doesn't mean nothing does.

    Other spam filters, there isn't anything I know of that uses reverse DNS lookups.

    I'm fine with it being part of the norm - but, if need be, I'm asking for an educated reason for it's being there other than 'it's always just been there.'



  • @Dashrender said in DNS discussion:

    @JaredBusch said in DNS discussion:

    @Dashrender said in DNS discussion:

    If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?

    You don't get rid of it. You simply nuke all the data in it and then put clean data back in.

    In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.

    Why add it back though? Other than doing nslookups by IP, what else uses it internally? I'm not aware of anything, but that doesn't mean nothing does.

    Other spam filters, there isn't anything I know of that uses reverse DNS lookups.

    I'm fine with it being part of the norm - but, if need be, I'm asking for an educated reason for it's being there other than 'it's always just been there.'

    This is also my question



  • For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.



  • @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.



  • @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?



  • @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.



  • @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    It didn't break anything, I just noticed it and it started this conversation with @Dashrender



  • @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?



  • @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.

    I don't know about Windows specifically, but I know some logging tools can use PTRs for validation.



  • @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    Exactly this



  • @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    Don't have all static. What's the value in that? I think for the new stuff I'm setting up, only the hypervisors, DHCP, and DNS servers are static. Everything else is reservations and dynamic.



  • @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    And I think you answered your own question here. It may have led them to the wrong conclusion based on bad information, but one that is properly set up is useful or else they wouldn't even have been looking there.


  • Service Provider

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    And I think you answered your own question here. It may have led them to the wrong conclusion based on bad information, but one that is properly set up is useful or else they wouldn't even have been looking there.

    Right, if you are going to have a static network, then this is simply one more thing that you have to deal with as I said earlier. Not doing it is going to cause problems sooner or later.


  • Service Provider

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.

    No, it cannot be found through a translation later. because that information may no longer correctly match. You HAVE to get the translation immediately or your logs are worthless (regarding the reverse DNS informaiton).

    Event happens Saturday and only IP is logged.

    DNS updates on Monday because device on IP changed.

    You pull Saturday's log on Wednesday and get Monday's machine name.

    Have fun tracking down the real problem.



  • @JaredBusch said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.

    No, it cannot be found through a translation later. because that information may no longer correctly match. You HAVE to get the translation immediately or your logs are worthless (regarding the reverse DNS informaiton).

    Event happens Saturday and only IP is logged.

    DNS updates on Monday because device on IP changed.

    You pull Saturday's log on Wednesday and get Monday's machine name.

    Have fun tracking down the real problem.

    Good point JB - though you don't need reverse DNS for that, you can get the host name from the client itself, which would be much more accurate.


  • Service Provider

    @Dashrender said in DNS discussion:

    @JaredBusch said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.

    No, it cannot be found through a translation later. because that information may no longer correctly match. You HAVE to get the translation immediately or your logs are worthless (regarding the reverse DNS informaiton).

    Event happens Saturday and only IP is logged.

    DNS updates on Monday because device on IP changed.

    You pull Saturday's log on Wednesday and get Monday's machine name.

    Have fun tracking down the real problem.

    Good point JB - though you don't need reverse DNS for that, you can get the host name from the client itself, which would be much more accurate.

    Which client? All you have in the log is the IP in this scheme. If you track that IP now, it will be a different machine.


  • Service Provider

    @wirestyle22 said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    Exactly this

    Why would it be manual? What situation is causing there to be any amount of work?


  • Service Provider

    @JaredBusch said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    And I think you answered your own question here. It may have led them to the wrong conclusion based on bad information, but one that is properly set up is useful or else they wouldn't even have been looking there.

    Right, if you are going to have a static network, then this is simply one more thing that you have to deal with as I said earlier. Not doing it is going to cause problems sooner or later.

    Right.... layers of mistakes where one mistake is leading to another based on it. If PTR records take any effort, don't ignore the real problem by not updating PTR, instead, fix the actual problem.



  • @scottalanmiller said in DNS discussion:

    @wirestyle22 said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    @Dashrender said in DNS discussion:

    @stacksofplates said in DNS discussion:

    For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.

    But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.

    OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.

    It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.

    He also needs to kill WINS, but that's another matter.

    It literally won't install the replicate without it so it is a requirement.

    So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?

    Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.

    But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?

    Exactly this

    Why would it be manual? What situation is causing there to be any amount of work?

    I love my playbook for this. I have reservations but they don't auto update DNS. The dict has the host info (address, record type, mac, etc) and generates the reservation and adds the A and PTR at the same time. Any changes are done in Git and it's all automatic.



  • In all our schools we have a Solus3 deployment server that uses reverse lookups when you're doing initial client setups in it. Solus3 updates SIMS and FMS which are the MIS and finance systems that run the school.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.