Delegating Reverse Lookup Zones for big subnets

Imagine that your company’s network owns the IPv4 range 40.50.60.0 – 40.50.60.255. The Reverse Lookup zone would be 60.50.40.in-addr.arpa, covering this entire network. Your primary nameserver is ns.acme.com. Your zone would look something like this:

60.50.40.in-addr.arpa       ns.acme.com.      support.acme.com. (
                                              20111202001
                                              4h
                                              1h
                                              1w
                                              1h
                                              )

@          IN          NS           ns.acme.com.
1          IN          PTR          www.acme.com.

But now you want to delegate the range 40.50.60.20 – 40.50.60.39 to the nameserver coyote.acme.com. Since it also resides in the same reverse zone, you cannot delegate this entire zone, as this would just move your entire network to the control of coyote.acme com, something you might not want to achieve with delegation.

You could create a zone for each host (20.60.50.20.in-addr.arpa, 21.60.50.21.in-addr.arpa, 22.60.50.22.in-addr.arpa etc.), but in that case you’d have to create 20 zones! Just image the amount of zones when delegating a network like 5.0.0.0/8. That would be over 16 million zones created by hand.

Instead there’s an easy workaround for this problem. We create a subdomain, delegate the subdomain, and then create a CNAME for each address. Like this:

60.50.40.in-addr.arpa       ns.acme.com.      support.acme.com. (
                                              20111202001
                                              4h
                                              1h
                                              1w
                                              1h
                                              )

@          IN          NS           ns.acme.com.
1          IN          PTR          www.acme.com.

; Delegation of 40.50.60.20 - 39. Make sure that you have an A record of coyote
; pointing to its IP address.

20-39.60.50.40.in-addr.arpa.     IN     NS     coyote.acme.com.

20          IN          CNAME          20.20-39.60.50.40.in-addr.arpa.
21          IN          CNAME          21.20-39.60.50.40.in-addr.arpa.
22          IN          CNAME          22.20-39.60.50.40.in-addr.arpa.
; ----    all the way up to the latest address
39          IN          CNAME          39.20-39.60.50.40.in-addr.arpa.

On the coyote.acme.com nameserver, create a reverse zone called ’20-30.60.50.40.in-addr.arpa.’.

Now create the PTR records like you would do with any reverse zone, but just the delegated addresses.

20-30.60.50.40.in-addr.arpa       coyote.acme.com.      support.acme.com. (
                                              20111202001
                                              4h
                                              1h
                                              1w
                                              1h
                                              )

@          IN          NS          coyote.acme.com.
20         IN         PTR          tools.coyote.acme.com.
21         IN         PTR          ftp.coyote.acme.com.
39         IN         PTR          intranet.coyote.acme.com.

At this point you might be thinking how you large your zone file might become if you’re doing this with a big amount of addresses, like 40.50.60.10 – 40.50.60.200. We use the $GENERATE statement in BIND to generate this for us. So the zone file would look like this:

60.50.40.in-addr.arpa       ns.acme.com.      support.acme.com. (
                                              20111202001
                                              4h
                                              1h
                                              1w
                                              1h
                                              )

@          IN          NS           ns.acme.com.
1          IN          PTR          www.acme.com.

10-200.60.50.40.in-addr.arpa.     IN     NS     coyote.acme.com.

$GENERATE 10-200 $.     IN     CNAME   $.10-200.60.50.40.in-addr.arpa.

Or even a 5.0.0.0/16 network with the range 5.1.0.0 – 5.2.0.0:

5.in-addr.arpa       ns.acme.com.      support.acme.com. (
                                              20111202001
                                              4h
                                              1h
                                              1w
                                              1h
                                              )

@          IN          NS           ns.acme.com.
1.0.0      IN          PTR          www.acme.com.

coyote.5.in-addr.arpa.     IN     NS     coyote.acme.com.

$GENERATE 0-255 $.$.1   IN     CNAME   $.$.1.coyote.5.in-addr.arpa.
$GENERATE 0-255 $.$.2   IN     CNAME   $.$.2.coyote.5.in-addr.arpa.

On your delegated nameserver, create the reverse zone ‘coyote.5.in-addr.arpa.’
As you can see, this is a much easier than creating a zone for each address.

If you request your public IP address to be delegated to you by your ISP, you’ll be bound to the way they delegate this to you. But most ISPs will do it just like this.

These instructions are for BIND9, but you can use the same procedure on any DNS server, including Microsoft DNS Server.

Leave a Reply

Your email address will not be published. Required fields are marked *