DNS discussion
-
Is there value in reverse lookup tables in typical networks?
Correct me if I'm wrong, but I thought the primary purpose of the reverse table was as a verification that an IP is being used by a specific host.
I suppose in a LANLess environment this can be useful, but is very useful in most normal Windows based LANs today?
Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.
So - Do most of you disable the client's ability to update DNS in Windows environments today?
-
@Dashrender said in DNS discussion:
So - Do most of you disable the client's ability to update DNS in Windows environments today?
Why would you do that? Lookups by name are very useful.
Bob called and said that Kathy's phone is not ringing right. You know Kathy is extension 1234 and when you configured the desk phones, you gave them all unique hostnames based on their extensions.
So you pop a browser window and go to http://ext1234.ad.domain.local and look at her phone.
How did that work? Because DHCP updated DNS.
-
@JaredBusch I think he's talking about Reverse DNS.
-
@JaredBusch What about in a static environment?
-
@wirestyle22 said in DNS discussion:
@JaredBusch What about in a static environment?
Then it is a manual process just like everything else in a static environment.
You simply make things like that part of the process. -
@dafyre said in DNS discussion:
@JaredBusch I think he's talking about Reverse DNS.
Yes. That is exactly what I am answering. The DHCP auto updating DNS for the reverse lookup.
-
@Dashrender said in DNS discussion:
Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.
So - Do most of you disable the client's ability to update DNS in Windows environments today?
You missed my question JB... I'm asking if you disable the ability of the Clients, not DHCP, to update DNS.
-
@Dashrender said in DNS discussion:
Is there value in reverse lookup tables in typical networks?
Correct me if I'm wrong, but I thought the primary purpose of the reverse table was as a verification that an IP is being used by a specific host.
I suppose in a LANLess environment this can be useful, but is very useful in most normal Windows based LANs today?
Also - I know that in Windows Networks (no Linux experience here) that DHCP can be setup to give information to DNS for host registration.
So - Do most of you disable the client's ability to update DNS in Windows environments today?
I leave it on because if I run an ARP scan I can quickly just get the name from IP.
Some things like RedHats Identity Management need the reverse mapping for replication.
-
If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?
-
@Dashrender said in DNS discussion:
If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?
You don't get rid of it. You simply nuke all the data in it and then put clean data back in.
In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.
-
@JaredBusch said in DNS discussion:
@Dashrender said in DNS discussion:
If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?
You don't get rid of it. You simply nuke all the data in it and then put clean data back in.
In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.
Why add it back though? Other than doing nslookups by IP, what else uses it internally? I'm not aware of anything, but that doesn't mean nothing does.
Other spam filters, there isn't anything I know of that uses reverse DNS lookups.
I'm fine with it being part of the norm - but, if need be, I'm asking for an educated reason for it's being there other than 'it's always just been there.'
-
@Dashrender said in DNS discussion:
@JaredBusch said in DNS discussion:
@Dashrender said in DNS discussion:
If you already have it in place, I don't see any reason to get rid of it... But in Wire's case he has a bunch of bad data in it.... And I'm wondering if it's better to fix it, or just get rid of it?
You don't get rid of it. You simply nuke all the data in it and then put clean data back in.
In the case of a static network, it is a stupid shit ton of new work. But that is, yet another, reason not to static entire networks.
Why add it back though? Other than doing nslookups by IP, what else uses it internally? I'm not aware of anything, but that doesn't mean nothing does.
Other spam filters, there isn't anything I know of that uses reverse DNS lookups.
I'm fine with it being part of the norm - but, if need be, I'm asking for an educated reason for it's being there other than 'it's always just been there.'
This is also my question
-
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
-
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.
It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.
He also needs to kill WINS, but that's another matter.
-
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.
It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.
He also needs to kill WINS, but that's another matter.
It literally won't install the replicate without it so it is a requirement.
So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?
-
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.
-
@stacksofplates said in DNS discussion:
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.
It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.
He also needs to kill WINS, but that's another matter.
It literally won't install the replicate without it so it is a requirement.
So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?
It didn't break anything, I just noticed it and it started this conversation with @Dashrender
-
@stacksofplates said in DNS discussion:
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.
It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.
He also needs to kill WINS, but that's another matter.
It literally won't install the replicate without it so it is a requirement.
So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?
Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.
But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?
-
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
This post makes me wonder - Does Windows auto convert IP log entries into host names in Windows logs? I know it doesn't need to, it can collect this information when the connection is made, but it might, because saving that information is just extra info that could be found through a translation later.
I don't know about Windows specifically, but I know some logging tools can use PTRs for validation.
-
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
@Dashrender said in DNS discussion:
@stacksofplates said in DNS discussion:
For me it's mostly convenience. Another use other than what I mentioned before is I can quickly find what machine a person SSH'd in from.
But I know FreeIPA replicas need it because I just installed one this morning and had to add the PTR.
OK these are useful tools for IT, but they aren't requirements. The system won't suddenly stop replicating, or authenticating, etc because you don't have reverse DNS setup.
It's kinda obvious that Wire has a mess in his static environment. I'm thinking that he should just kill the reverse entries to prevent the problem he experienced in trouble shooting this.
He also needs to kill WINS, but that's another matter.
It literally won't install the replicate without it so it is a requirement.
So let's reverse the question. If nothing relies on it, how can the reverse be screwing anything up?
Well, in this case - it led someone to a wrong conclusion to the root of a problem. Now this isn't the fault of reverse DNS.
But having to maintain a manual reverse DNS table can be a fair amount of work, and if it offers no value, why do it?
Exactly this
