Working at a large University that uses 10net space, it’s easy enough to get a hold of a /24 that is quick and easy to put in Windows reverse DNS. Even with the large amount of public facing IP space the university I work at has, public routable IP space is still at a premium and subnetted delegations are common. In my experience in the “real world”, most people don’t have the financial ability or real need to request a /24 from their ISP. Thusly they need a way to get reverse lookup DNS working on their Windows servers for subnetted and classless zones.
I needed to re-IP a /27 test network recently and got frustrated by having to ask my *nix DNS folks to make changes all the time. I decided that since it was theoretically possible to make subnetted reverse lookup DNS zones work on Windows that I would give it the ol’ college try.
I started by reading this: http://support.microsoft.com/?id=174419 be careful…it’s enthralling…Then since I was working in my sandbox; I started mucking around (read: deleting zones, reloading zones, rebooting DCs). It took a lot of cussing but I got it working. I thought I’d jot down how I did it since I’ve been able to repeat my process successfully several times.
I did this on Windows 2008 domain controllers, presumably the general idea will work on any version of Windows but the clicky parts don’t look the same. Please forgive any poorly used terminology; if you have a legitimate suggestion as to how I can improve my post I’d love to hear it. Some of this might be captain obvious to many of you but I think in this case it doesn’t hurt to get into the obvious. If you have any questions I’d be happy to try to answer them for you. Just click the contact link on the side of the blog or leave a comment here.
This is the gist of how I did it:
1) Got 96/27.50.254.10.in-addr.arpa delegated from the *nix team (sample bind config is available a ways down the page)
2) Created primary (NOT stored in active directory) reverse look up “parent” zone on DC1 for 10.254.50
3) Created a new delegation on DC1 for 96/27 so that the FQDN ends up as “96/27.50.254.10.in-addr.arpa”
4) Created reverse (NOT stored in AD) look up “child” zone on DC1 for 96/27.50.254.10.in-addr.arpa (use the blank second field, not the x.x.x field)
5) Added DC2 as a name server (NS) on both zones and enabled automatic zone file transfers
6) Added secondary zones for both zones on DC2 (so that it’s editable from either server)
7) Added CNAMEs in the parent zone – I found this easier to do using the actual zone file in C:\Windows\System32\dns (skip the quotes)
“117 CNAME 117.96/27/50/254.10.in-addr.arpa.”
8 ) Added PTRs in the child zone – Again finding this easier to do in the zone file in C:\Windows\System32\dns (skip the quotes)
“117 PTR OMGPONIES.glitterponiesarecool.com.”
9) Saved changes to zone files
10) Reloaded both zones
11) Viiiiola! Try your NSLookup from something not in the domain you’re testing and make sure it looks proper.
Sample BIND config:
$origin 50.254.10.in-addr.arpa.
; .96/27 glitterponies
97 in ptr glitterponies-inside-alias.glitterponiesarecool.com.
96/27 IN NS dc1.glitterponiesarecool.com.
96/27 IN NS dc2.glitterponiesarecool.com.
$generate 98-120 $ IN CNAME $.96/27.50.254.10.in-addr.arpa.
121 in ptr glitterponies-inside-fw1.glitterponiesarecool.com.
122 in ptr glitterponies-inside-fw2.glitterponiesarecool.com.
Notes:
* The name scheme that the Unix side DNS uses is important. It won’t properly show itself to the world if you use any of the other available conventions such as 96-120.50.254.10 instead of 96/27.50.254.10.
***Whatever name you’re given for your DNS zone by your ISP/Network team/DNS fairy is what you have to use for your reverse look up child zone.
* The period on the end of the CNAME and PTR records is important. If you don’t include periods, it will append the arpa name to the host name in the NSLookup. While this in essence shows you what you want to see, it’s not proper and the . will fix it.
* In order for the records to work you have to create CNAMEs in the parent zones and PTR records in the child zones. It’s annoying but it doesn’t work any other way.
