topic Re: reverse lookup interesting situation in Operating System - HP-UX

reverse lookup interesting situation

Kirk Reindl — Wed, 10 Aug 2005 17:04:03 GMT

Windows client=clientA
Windows DNS Server=WinDNS
HP UNIX DB server=UnixDB

UnixDB is not running DNS:
bg-qad01:/home/techsup/creindk> grep NAMED= /etc/rc.config.d/namesvrs
NAMED=0

bg-qad01:/home/techsup/creindk>

I had a situation where clientA couldn't fully establish an ftp connection to UnixDB. It was making the connection but no login prompt. I couldn't solve the problem; I went to our networking team. They said, "WinDNS doesn't have an entry for clientA in one of its' tables, and your UnixDB is trying to do a reverse lookup."

The networking team added clientA to 'some' config file on WinDNS and sure enough it worked. Meaning, immediately after they made the change, I ran ftp from clientA to UnixDB and instantly login prompt, and all is good.

But........
My networking team is saying, "reverse lookups are bad." (I don't pretend to know if reverse lookups are bad)..... And that I must turn off reverse lookups on all my servers.

Is my networking team correct in saying this?
UnixDB isn't even configured as a DNS server.
Doesn't reverse lookup only pertain to DNS servers?
If not, how would I turn off reverse lookups; what config file? Should I demand they keep WinDNS accurate and updated?

Re: reverse lookup interesting situation

Mel Burslan — Wed, 10 Aug 2005 17:15:44 GMT

reverse DNS is not bad actually it is a necessary evil in most cases. Your networking people look like trying to shake you off their back. They need to keep their DNS servers uptodate.

make sure you have a healthy DNS server, preferably more than one, in your /etc/nsswitch.conf, and again make sure you have the DNS resolution order in the /etc/nsswitch.conf file set up properly. You do not need to be running named or anything for reverse lookup. Resolution is the duty of the DNS servers specified in the resolv.conf file.

Re: reverse lookup interesting situation

Tom Schroll — Wed, 10 Aug 2005 17:27:18 GMT

For every central DNS server, there are two main tables. Let's call them "forward lookup" and "reverse lookup" tables.

The forward lookup table resolves hostnames to IP addresses. The reverse lookup table resolves IP addresses back to hostnames.
This is all done on the central DNS server and not your local HP-UX box. In fact, your local HP-UX box has nothing to do with serving DNS. It is only a "client" to your central DNS system.

What I think your Network Admin is saying, and this is only an assumption based on your message, is to configure your HP-UX box to NOT do reverse lookups when trying to do some types of authentication.

And what does this mean? Well, for security purposes, applications (and the resolver library) will try to verify your IP address -- both forward and reverse -- when you make a network connection (ie: telnet) to make sure you are coming from the system you say you are coming from (because IP addresses can be spoofed). This is only a small amount of security that can lead to big problems if DNS is NOT configured correctly on the central DNS server.

As far as I know, you cannot globally turn off this "forward/reverse" verification because it first starts at a resolver level and applications need to determine whether to use this data or not...so it ends up being an application level issue. Needless to say it is a slippery slope to try to circumvent this. And I don't think HP-UX provides such mechanism.

The right way to handle this is for the Network Admin to setup the central DNS server correctly, and that means to have both forward and reverse DNS working properly.

Another solution is to not use DNS at all on your HP-UX box and use a /etc/hosts file. This would also require you to disable dns in /etc/nsswitch.conf. But then no DNS lookups would work and I'm not sure you want this either.

Finally, the last alternative would be to use both a hosts file and dns. But that gets messy too.

If there are other options, I'm sure someone else will chime in. But in the meantime, reverse lookups are NOT bad, and they wouldn't be bad if the central DNS server and all of the clients were configured correctly.

That is my 2 cents. Good luck...

-- Tom

Re: reverse lookup interesting situation

Pat Lieberg — Thu, 11 Aug 2005 07:50:37 GMT

Having administered a windows-based DNS server some time ago, it will by default ask if you want to create the reverse-lookup table entry every time you add a new entry to a zone. I see no reason why someone would choose not to since it only causes the very problem you are describing.

What reason did your network admins give for reverse-lookups being "bad?"

Re: reverse lookup interesting situation

Kirk Reindl — Thu, 11 Aug 2005 08:15:10 GMT

The network engineer did give me a reason, this is something I'll need to ask.

I believe I have enough to "tell them this is not a Unix issue" and they need to manage the DNS servers most closely.

It sounds like from what all of you have replied is that there is no explicit config parameter at the Unix level that says, do not do reverse look ups.

If an application is doing a reverse lookup, (ftp, or whatever that is a different story). How I'd determine that I have no idea.

Re: reverse lookup interesting situation

Simon Hargrave — Thu, 11 Aug 2005 09:35:18 GMT

Reverse lookups are inevitable. It sounds to me like your Windows "administrators" are just being too lazy in not setting up their DNS service properly, and are trying to fob you off.

Jeeze, you'd think with their pointy-clicky interfaces it'd be easy enough for them!

;)

Re: reverse lookup interesting situation

John Dvorchak — Thu, 11 Aug 2005 12:17:10 GMT

I used to manage Windoz DNS servers and there is no reason for the DNS guys to tell you that "Reverse lookups are bad". Are these guys qualified for that job? Network engineer? In any event there is no way to shut off reverse lookups that I am aware of. Both forward and reverse lookups are a requirement of a well managed infrastructure to insure integrity and security.

Re: reverse lookup interesting situation

Kirk Reindl — Thu, 11 Aug 2005 12:38:14 GMT

Thanks all, you've given me a leg to stand on.
I'm closing this thread now.

Re: reverse lookup interesting situation

Kirk Reindl — Thu, 11 Aug 2005 12:38:59 GMT

I have the info I need