The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Reverse DNS how to

Discussion in 'Bind / DNS / Nameserver Issues' started by ne0shell, Jan 9, 2004.

  1. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    version .01

    After searching for help all over the net in adding PTR records to my cPanel DNS setup, I found a very easy to follow tutorial which along with some other sources, made it possible for me to get reverse DNS working with cPanel. It’s still a question I see quite a bit so I decided to create a short how-to to help others.

    1. You must have reverse authority delegated to you from your hosting provider. Though common wisdom in forums says most providers do not delegate authority, I have found this to be untrue. I don’t recommend asking for it if you don’t feel confident you can handle the technical end of setting up BIND.
    2. You need to have a domain of course, or a few and it helps greatly to have DNS setup and working for a few days prior to attempting this.
    3. Every install of cPanel I have done to date comes with a broken BIND server. The issue is always the rndc.key issue. This is my first task for every cPanel install now to do the following fix before I add any information in cPanel WHM at all. To fix it, open /etc/rndc.conf in a text editor and at the top you should see this:

    # Start of rndc.conf
    key "rndc-key" {
    algorithm hmac-md5;
    secret "XXXXXXXXXXXXXXX==";
    };

    options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;

    change all the references of “rndc-key” to “rndc.key”.

    4. Now open /etc/named.conf and at the top change the rndc-key reference to rndc.key also.
    5. in SSH type “rndc reload”
    6. in SSH type /scripts/fixndc (try it twice, some people need to but I usually get a message telling me further uses of the script are not needed).
    7. It doesn’t hurt to go into cPanel WHM and restart BIND at this point. You should get a clean restart with no connection or rndc error.

    Now the real fun begins. There’s a lot of really good technical information to be found in the process of setting up RDNS that helps one gain an understanding of how the DNS process works as a whole.

    The current version of BIND for Redhat and cPanel uses a database system for the zone files and named.conf entries. It’s basically a two part process. BIND looks at /etc/named.conf for a list of zone entries which tell it what domains your server is responsible for. These entries tell BIND to go look in /var/named/ for zone.db files which contain the actual DNS information such as IP Address, MX records and soon, Reverse (PTR) records.

    Reverse DNS is just that, its REVERSE. The server performing the RDNS lookup traces your IP address backwards in order to get to your servers DNS files and pull the PTR entry.
    Part1 : Adding the reverse lookup zones

    For sake of example, were going to use the IP range 10.1.2.1 thru 10.1.2.4. To make it easy, were going to assign PTR for the domains punk.rocks.org (10.1.2.1) and icecream.ischill.org (10.1.2.2).

    First open /etc/named.conf in pico or nano, etc and go down to the bottom of the page. We need to add the “in-addr.arpa” entries for our IP range. Your going to reverse the IP address and leave off the last digit, so our record would be for 2.1.10 instead of 10.1.2.# . The record should llok like this:

    };


    zone "2.1.10.in-addr.arpa" IN {
    type master;
    file "/var/named/2.1.10.db";
    allow-update { none; };
    };

    Be sure you have that }; separating your entries. This entry tells the lookup computer that IPs starting with 10.1.2. might belong to us and to go look at the file /var/named/2.1.10.db to get specifics.

    That’s it for named.conf. If you own other address ranges you would want to add a separate entry for each of them too and point them each to their own ip block .db file.

    Now we need to create a 2.1.10.db file in /var/named and edit it. I prefer to make a copy of another zone.db file and edit it locally using vim. It’s a normal DNS zone file except where you would have full IP address you only put the last digit of the IP.

    ; Modified by Web Host Manager
    ; Zone File for 2.1.10
    $TTL 86400
    @ 14440 IN SOA ns1.rocks.org. root.rocks.org. (
    1997022703
    28800
    14400
    3600000
    86400
    )
    14400 IN NS ns1.rocks.org.
    14400 IN NS ns2.rocks.org.

    1 IN PTR punk.rocks.org.
    2 IN PTR icecream.ischill.org.
    3 IN PTR res.rocks.org.
    4 IN PTR res.ischill.org.

    That’s basically it. Your telling the lookup host that ip 10.1.2.1 reverses to punk.rocks.org and that 10.1.2.2 reverses to icecream.ischill.org . In this example ips 3 and 4 aren’t being used yet so I add res to indicate reserved for future domains. You can also leave them out of the .db file but I put them in for testing. Also note the periods after the domain names, they have to be there or it will not work.
    I left the default values for TTL, refresh etc, a test on some of the online DNS diagnostic tools indicates these can be improved upon greatly.

    Once that’s all complete go to SSH and type rndc reload. If your domains have already propagated you can use an online DNS tool to check your IPs for reverse entry. It usually works very fast for me, changes showing up instantly. A good place to use is: http://www.dnsstuff.com/
    You can check you local DNS server by using the dig command in SSH.

    Commands: dig your.domain.com and dig –x 10.1.2.1 you should get back lots of useful information, what you don’t want to see is “servfail”. This indicates the DNS server responsible is not responding.

    There’s lots more to know but this will get you going. Any mistakes or needed add-ons please feel free to help out.
    Good luck,
    Brian
    Neoshell.net
     
  2. BuBa

    BuBa Active Member

    Joined:
    Sep 25, 2002
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Netherlands
    Great howto

    But how did I do it when I have more then one (1) domain on a IP? can someone explain that to me.
     
  3. ne0shell

    ne0shell Well-Known Member

    Joined:
    Oct 9, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Unfortunately, as far as I know, and if I'm wrong I'd like to know the answer to that myself...the DNS system as it currently is will only grab the first record. You can list them all out without breaking anything and I'm not sure what will work and what won't, (IRC will grab the first entry in the list for that Ip, that much I do know).

    1 PTR icecream.ischilled.org
    1 PTR vanilla.icecream.ischilled.org
    1 PTR chocolate.icecream.ischilled.org

    etc, etc

    IRC will grab the top entry in the zone file and ignore the others. I wondered if ident could be made to change that somehow but my experiments so far haven't yielded the desired results. If anyone can describe PTR and named based hosts, please do so to complete the how-to.
     
  4. yaax

    yaax Well-Known Member

    Joined:
    Jun 15, 2003
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    I did as described in this tutorial about reverse DNS records, but on DNSStuff.com my server is still not recognized with reverse DNS.
    May I need to contact my Data Center or I can do it myself by some setup on my box only ?
     
  5. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    yaax,

    Did you read step one:

    If the datacenter has not done what is bolded above, then this tutorial will not work. This tutorial assumes that authority is delegated to you. I don't know a singe datacenter that does that by default, but many will do it upon request.
     
  6. faqall

    faqall Active Member

    Joined:
    Jul 17, 2004
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    lets say we dont have the auth... will it hurt to do this anyway?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you haven't been delegated authority, it would be a completely pointless excercise as the DNS records wouldn't be used. You have to ask your NOC to either delegate or have them set up rDNS for you.
     
  8. EcoHosting

    EcoHosting Member

    Joined:
    Mar 6, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    PTR records

    Correct me if I am wrong but the whole idea is to map an IP with a specific domain name? It has to be 1 IP per name anything more would be pointless. Having more than one name per IP would defeat one of the important uses of ptr records, to identify a given server. Many mail servers without valid MX records and their associated pointers could find themselves being refused connections by an increasing number of mail servers.

    Personally I always make sure my dns and mail servers have proper and unique ptr records.
     
  9. EcoHosting

    EcoHosting Member

    Joined:
    Mar 6, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    Oh, almost forgot, thanks ne0shell for the how to. I was looking for that exact process. I hate havine to make a request everytime I need ptr record.
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You're completely correct. But defining your own PTR records only makes a difference if they are delegated to you by your NOC (or you "own" them). Otherwise, the NOC has to create the PTR record for you.
     
  11. EcoHosting

    EcoHosting Member

    Joined:
    Mar 6, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    I know, I was just answering BuBa's question. Should've mentioned it. :)
     
  12. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Ok, i successuflly set up the RDNS for my main IP address a long time ago.

    Here is the problem I'm running accross now. I have a customer that is using their own mail server and we just changed the zone file to point to their mail server.

    I tried to add RDNS for their IP adress on my machine, but am not having any luck. I'm not sure if this can be done at all.

    The strange thing is when I create the .db file and then reload rnds the file gets deleted? Do you know why that might be?
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You cannot do that. Only the owner of the IP address can create rDNS entries for any given IP address.
     
  14. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I was afraid of that. So if they have their own mail server, the owner of their IP address has to add the RDNS, which is probably their ISP?
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes :)

    [this text added to meet the minimum posting length requirement]
     
  16. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Ok, now I am really confused. I called the guy and he said he never had this problem with his previous hosting company before.

    And here is the strange thing. I tried to do a dig and it seems to come back ok. Does this look right?

    here is the dig on the mail.domain.com

    PHP:
    dig mail.csisd.org

    ; <<>> DiG 9.2.1 <<>> mail.csisd.org
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>
    HEADER<<- opcodeQUERYstatusNOERRORid55005
    ;; flagsqr aa rd raQUERY1ANSWER2AUTHORITY2ADDITIONAL0

    ;; QUESTION SECTION:
    ;
    mail.csisd.org.                        IN      A

    ;; ANSWER SECTION:
    mail.csisd.org.         14400   IN      CNAME   email4400.csisd.org.
    email4400.csisd.org.    14400   IN      A       204.56.144.241

    ;; AUTHORITY SECTION:
    csisd.org.              14400   IN      NS      ns3.ixsweb.com.
    csisd.org.              14400   IN      NS      ns1.ixsweb.com.

    ;; 
    Query time1 msec
    ;; SERVER127.0.0.1#53(127.0.0.1)
    ;; WHENTue Oct 19 16:56:03 2004
    ;; MSG SIZE  rcvd118
    Here is the dig on the IP address:

    PHP:
    dig -x 204.56.144.241

    ; <<>> DiG 9.2.1 <<>> -x 204.56.144.241
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>
    HEADER<<- opcodeQUERYstatusNXDOMAINid8521
    ;; flagsqr rd raQUERY1ANSWER0AUTHORITY1ADDITIONAL0

    ;; QUESTION SECTION:
    ;
    241.144.56.204.in-addr.arpa.   IN      PTR

    ;; AUTHORITY SECTION:
    144.56.204.in-addr.arpa10800  IN      SOA     dns.tamu.edudns.net.tamu.edu10 28800 3600 604800 28800

    ;; Query time2354 msec
    ;; SERVER127.0.0.1#53(127.0.0.1)
    ;; WHENTue Oct 19 16:53:20 2004
    ;; MSG SIZE  rcvd101
    but when i do a dns report it fails?
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, he doesn't have to have an rDNS entry for his mail servers IP address, especially if he's only going to receive email onto it. If he wants to send email from it, then he may find himself being blocked by some SMTP servers that won't relay email for a server without an rDNS entry.
     
  18. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Which is exactly what i think is happening.

    When I look at what I posted before in the dig of the ip address.....does it need to have a PTR record? It looks like it might be commented out? Is that all they would need to add?
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    All the output is showing is that the PTR does not exist (that's how dig -x shows it when it doesn't exist). Yes, all the ISP would have to do is create that record. It's odd as most ISP's these days automatically create PTR records anyway.
     
  20. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    That's what I thought, and told the guy, but just wanted to double check. I'll see what his response is.
     
Loading...

Share This Page