8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
1/22
Kostas Zorbadelos OTEDavid Freedman - ClaraNet RIPE 61 November 21
Reverse DNS
considerations for IPv6
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
2/22
Reverse DNS in IPv4
Every Internet-reachable host should have anamea!e sure your P"R and # records match$
%or every IP address& there should be amatchin' P"R record in the in-addr$ar(adomainIf a host is multi-homed& ma!e sure that all IP
addresses have a corres(ondin' P"R record)not *ust the first one+
November 21 RIPE 61 2 ! 22
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
3/22
Reverse DNS usa'e in current Internet
Some a((lications use DNS loo!u(s for security chec!s$%ailure to find matchin' reverse ma((in's is inter(reted as a(otential security concern,eb sites could use reverse ma((in' to verify hether theclient is located ithin a certain 'eo(olitical re'ion"#s can be confi'ured not to acce(t mail from clients thathave no P"R or a non-matchin' P"RReverse ma((in's for visitors to services can be used in lo'entries"raceroute out(ut ith descri(tive reverse ma((in' (roves
usefulScorin' mail on the basis of missin' or non-matchin' reversema((in'$$$
November 21 RIPE 61 " ! 22
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
4/22
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
5/22
"he len'th of individual addresses ma!es manual ;one entriescumbersome$ # sam(le/0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8.5.0.2.0.a.2.ip6.arpa IN PTR kirk.otenet.gr.
# sin'le customer can have a 6 or 47 assi'nment$ Pre-(o(ulation of all (ossible addresses in a ;one is im(ossible$
,hen S
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
6/22
Reverse DNS in IPv6
So& should e even care about P"Rs ini(6$ar(a>
Do e further need
kzorba@ !"> ho#t kirk.otenet.grkirk.otenet.gr ha# IP$6 a%%re## 2a02580200100kzorba@ !"> ho#t 2a02580200100
0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.8.5.0.2.0.a.2.ip6.arpa %omain name pointerkirk.otenet.gr.
November 21 RIPE 61 6 ! 22
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
7/22
"here are a fe (eo(le that ill hate this
kzorba@ !"> tracero&te6 '''.goog(e.com
tracero&te6 to '''.(.goog(e.com )2a001*508006+,- rom2a02580200100/ 6* hop# ma/ 12 bte packet#1 2a025802001 0.261 m# 0.201 m# 0.1+ m#2 2a02580101221%8eea22c 0.,+ m# 0.*12 m# 0.,5 m#, 2a001cb820005 0.2*2 m# 0.25, m# 0.25, m#* 2a001cb812b 0.8+8 m# 0.65+ m# 0.506 m#5 2a001cb812 *.,,5 m# *.*00 m# *6.+2* m#
6 %e"ci20.net.goog(e.com *8.*55 m# *.+8 m# 8.**2 m# 2001*8601010 *8.0, m# *.808 m# 2001*8601011 52.52, m#8 2001*860108 56.62* m# 2001*86010*b, 5.,*2 m# 2001*860108 5.0, m#+ 2001*860108c 60.05+ m# 5.+, m# 2001*86010e 1,*.10* m#
10 2001*8602% 60.62 m# 2001*8602c 58.602 m# 58.,16 m#11 2001*86001% 60.282 m# 6.86 m# 58.*8 m#12 2a001*508006+, 61.866 m# 58.68+ m# 61.*8, m#
RIPE 61 % ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
8/22
=urrent reality is that P"R records are used in ea!authentication methods of services"his mi'ht not 'o aay in the IPv6 orld as ?uic!ly assome thin!It is useful to have human readable names in lo' filesof servers#lso useful to sho names in traceroutes=ertain a((lications li!e email can ma!e more use of
reverse ma((in's )scorin' mails& create re(utation indomains etc+$$$
November 21 RIPE 61 & ! 22
@sefulness of i(6$ar(a records
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
9/22
ain source of information is currently theIE"% Draft %rat"ho'ar%"i#p"ip6r%n#"0*
#((roaches discussed in the document are nores(onse& ildcard match& various DynamicDNS solutions& dele'ation and dynamically
'enerate P"R hen ?ueried )on the fly+
November 21
RIPE 61' ! 22
#((roaches to the (roblem
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
10/22
Provide N34omainres(onse to P"R ?ueries forsubscriber addresses$ No orries for rDNS ith all theshortcomin's$
ISPs could 'enerate P"R records for addresses as
they are re?uested$"he P"R record is 'enerated on demand )fromal'orithm+ and cache or (re-(o(ulate the forard)####+ entry for the ""< of the P"R$
#dditional (rocessin' load in 'eneral& DoS counter-measures should be de(loyed$=ould be used in a DNSSE= environment ith on-the-fly si'natures$
November 21
RIPE 611 ! 22
No Res(onse .n the fly res(onses
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
11/22
ItAs a ay to ensure that forard and reverse recordsmatchDoes it scale> Does anybody do it in a lar'e scalenetor!>.nce interface confi'uration is com(lete hosts could(rovide both #### and P"R u(dates.f course they need to !no hich nameservers tou(date,hat about authentication of u(date re?uests>DoS to the system is (ossibleIlle'al or ina((ro(riate strin's could be (rovided ashostnames
November 21
RIPE 6111 ! 22
Dynamic DNS #((roaches
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
12/22
"he sim(lest case is a residential user ith a sin'le hostconnected to the ISPISP should (rovide address information& recursivenameserver and domain search list via DB=Pv6
Bost determines %CDN by a((endin' hostname andsearch listBost (erforms multi(le S.# ?ueries to find the lon'est(refi dele'ated by DNS admin.nce found& host sends dynamic #### and P"R u(dates
Not the default behavior for many hostsost customers are e(ected to be connected throu'h aresidential 'ateay to the ISP
November 21
RIPE 6112 ! 22
Dynamic DNS from individual hosts
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
13/22
Dynamic DNS %rom ###RI7IN 0.0.8.b.%.0.1.0.0.2
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0IN PTR %n"ct12,*.ip$6.pro$i%er.net.
Driven by DB=P ).%%ER+ or R#DI@S )#=="-S"#R"+
Prefi assi'ned 'iven a ildcard& sin'le record for the customerAs 'ateay.R a set is 'enerated on the fly to cover the hole (refi
Removed afterard hen lease e(ires )DB=P+ or user lo'sis lo''ed off)R#DI@S #=="-S".P+
Perha(s tie in authenticated u(dates from your customerAs dele'atede?ui(ment> )nice to have+
No current im(lementations eist for IPv6 P"R )sto( me if you !no of one+
RIPE 611" ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
14/22
Dynamic DNS %rom ###
RIPE 611# ! 22November 21
=RF
=able environment )D.=SIS8+
="S DB=PD N#ED
=DG
0$ = RF re?uests IPv6
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
15/22
Dynamic DNS %rom ###
RIPE 611$ ! 22November 21
Router
DS< environment )PPP+ H uch the same
N#SR#S R#DI@S#@"B
N#ED
=DG
0$ Router ma!es PPP call to N#SR#S& ne'otiatesIPv6=P as N=P& N#SR#S consults R#DI@S
3$ R#DI@S as!s =DG& 'ets transfer (refi anddele'ated (refi )if static+ else uses a (ool
8$ N#SR#S issues %ramed-IPv6-Prefi to Router)via R#+ and as!s for Static %ramed-Interface-ID ofa !non value )to (revent router S
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
16/22
Dele'ation #((roach
RI7IN 8.b.%.0.1.0.0.21.0.0.0 IN N n#1.ooctomer.net.
ery sim(le& ma!e it the customerAs (roblem
Not all customers have the s!illset and means to do this
ore fre?uent dele'ations mean more fre?uent lamedele'ations )R%=0508+
Re'ular audits hoever should (ic! this u(
RIPE 6116 ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
17/22
,ildcard records and DNSSE=RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa.9 IN PTR %n"ct12,*.ip$6.pro$i%er.net.
,ildcardin' your 64& 6 and 47 assi'nments=ustomer overrides ildcard ith more s(ecifics if need be
,ildcards can be validated in DNSSE= by use of )*+E),field inRRSIF )R%=4284428+
,600 RRI7 4N:; 5 2,600 201011,02,000,)201010,12,000, 2+161
#'ain& forard and reverse do not match& if customer reallhas ana((lication that re?uires this& (unch more s(ecific hole as aboveana'ement of such holes may be a ne system to de(loy
RIPE 611% ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
18/22
,ildcard records and DNSSE=
It ould actually loo! somethin' li!e this/
RI7IN 1.0.1.0.0.0.8.b.%.0.1.0.0.2.ip6.arpa.9 IN PTR %n"ct12,*.ip$6.pro$i%er.net.,600 RRI7 4N:; 5 16,600 201011,02,000,)201010,12,000, 2+161
"he number 06 allos the ildcard to re(resent the 06 labels of the 6(refi hen in i(6$ar(a format hilst ecludin' the null )root+ label on theri'ht and the ildcard label on the leftJ$1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
.e.e.b.%.a.e.%..e.e.b.%.a.e.%.0.0.1.0.1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
=overed etensively in R%=428 section $
RIPE 611& ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
19/22
#n .(inion for the immediate future
%or in.rastr/0t/re ranes servers3 net(or4 elements5=ontinue doin' thin's in the IPv4 ay& that is& (o(ulate theforard ;ones ith these addresses and create the i(6$ar(a
P"Rs automatically via a scri(t
%or 0/stomer assinments - in case a customer is lar'e enou'h and has DNS e(ertise&dele'ate his assi'nment to his nameservers alon' ith any of his
domains and 'et done ith it
RIPE 611' ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
20/22
#n .(inion )cont$+
In the other cases )'eneral broadband users or cor(oratecustomers+ (re-(o(ulate i(6$ar(a ith their assi'nments )6 orsomethin'+ usin' ildcard records$It ould be 'reat if the customer )only static>+ has some sort of
eb interface to create records under a s(ecified )forard+subdomain for him e$'$
.
"he customer could choose to lose the ildcard record ini(6$ar(a and have P"Rs 'enerated based solely on his ####records$ Else& the #### records he creates create holes in theildcard match$
RIPE 612 ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
21/22
Cuestions>
RIPE 6121 ! 22November 21
8/12/2019 139 Ripe 61 rDNS Kzorba Freedman
22/22
R%=0103 - =ommon DNS .(erational and =onfi'uration Errorshttp'''.a?#.orgrc#rc1+12.htm(
Reverse DNS in I(v6 for Internet Service Providers -draft-hoard-is(-i(6rdns-24httptoo(#.iet.orghtm(%rat"ho'ar%"i#p"ip6r%n#"0*
=onsiderations for the use of DNS Reverse a((in'
Draft-ietf-dnso(-reverse-ma((in'-considerations-26httptoo(#.iet.orghtm(%rat"iet"%n#op"re$er#e"mapping"con#i%eration#"06
RIPE 6122 ! 22
References
November 21
http://www.faqs.org/rfcs/rfc1912.htmlhttp://tools.ietf.org/html/draft-howard-isp-ip6rdns-04http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations-06http://tools.ietf.org/html/draft-howard-isp-ip6rdns-04http://www.faqs.org/rfcs/rfc1912.html