BIND DNS: reverse delegation of IP range

Besides mapping domain name to IP address, DNS systems can also map IP address to domain name. Many applications rely on DNS reverse mapping to function properly.
NetBackup will throw error if reverse mapping is not setup or is setup incorrectly, email system also needs correct reverse mapping.

Suppose we have the whole range of IP addresses in 222.222.222.0/24, we can configure reverse mapping in named.conf:

zone "222.222.222.in-addr.arpa" {

    type master;

    file "222.222.222.rev";

};

If we only have part of the IP addresses in 222.222.222.0/24, suppose 222.222.222.64 to 222.222.222.91, the reverse mapping is called classless reverse delegation.

From 222.222.222.64 to 222.222.222.95 there are 30 usable addresses, plus the network and broadcast address, there are 32 addresses, 32 = 2^5, 8 x 4 - 5 = 27. so our IP range can be represented as 222.222.222.64/27

ISP should have defined reverse delegation in their reverse zone file:

64/27    IN    NS    ns.sg.linuxscripter.blogspot.com

Now we can define the reverse mapping for our IP range in our own named.conf:

zone "64/27.222.222.222.in-addr.arpa" {

    type master;

    file "64-95.222.222.222.rev";

};

Note: The domain name and IP addresses in this post are dummy ones, I use them for easier writing.

BIND DNS: subdomain delegation

Suppose we have the domain name linuxscripter.blogspot.com, and we have Singapore, Hong Kong, and Shanghai offices. If we want the subsidiaries to manage their own domains, we can do this using domain delegation. On headquarter DNS server, in linuxscripter.blogspot.com zone file, we can define the subdomain delegation for different subsidiaries.

$ORIGIN sg.linuxscripter.blogspot.com.
@       IN       NS       ns.sg.linuxscripter.blogspot.com.
ns      IN       A        221.221.221.221

$ORIGIN hk.linuxscripter.blogspot.com.
@       IN       NS       ns.hk.linuxscripter.blogspot.com.
ns      IN       A        222.222.222.222

$ORIGIN sh.linuxscripter.blogspot.com.
@       IN       NS       ns.sh.linuxscripter.blogspot.com.
ns      IN       A        223.223.223.223

In ns.sg.linuxscripter.blogspot.com, we can define zone file for subdomain sg.linuxscripter.blogspot.com as normal domains

$TTL 7d

$ORIGIN sg.linuxscripter.blogspot.com.

@              IN      SOA   ns.sg.linuxscripter.blogspot.com. hostmaster.abc.domain. (
               2013022701 ; serial number
               2h         ; refresh =  2 hours
               15M        ; update retry = 15 mins
               3W12h      ; expiry = 3 weeks + 12 hours
               2h20M      ; minimum = 2 hours + 20 mins
               )

      IN   NS     ns.sg.linuxscripter.blogspot.com.
      IN   MX     10 mail.sg.linuxscripter.blogspot.com.

www   IN   A      221.221.221.65
mail  IN   A      221.221.221.66

We can setup the web server to use www now, but to use the email server, we need to define the reverse resolution for mail.sg.linuxscripter.blogspot.com properly.

Depends on the IP address range we get from ISP, the syntax for reverse resolution may involve classless delegation, you can find details on how to do reverse delegation in http://linuxscripter.blogspot.sg/2013/03/bind-dns-reverse-delegation-of-ip-range.html

Note: The domain name and IP addresses in this post are dummy ones, I use them for easier writing.

Sendmail: Prvent your SMTP servers from being blacklisted or graylisted

Sometimes we need to send email updates to millions of customers, the customer may register using their office email or public email like yahoo.
If you send a huge amount of emails in a short period of time, you may risk your SMTP servers beging blacklisted or graylisted.

There are a few ways to ensure your email server's functionality.

1. Use sendmail's greet_pause
In sendmail.mc, define greet_pause as 500 mili seconds.

FEATURE(`greet_pause',500) 

update sendmail.cf:

m4 sendmail.mc > sendmail.cf

restart sendmail service:

service sendmail restart

By defining greet_pause as 500, you are telling your email server to pause for 500 mili seconds before responding to any EHLO request. So it can control the rate you send email to outside world, preventing you from flooding outside email servers.

2. rotate IP addresses of your SMTP server periodically.
Suppose you are assigning management IP to eth0, you can define eth1 as the default outgoing IP address, 192.168.100.101, 192.168.100.102, 192.168.100.103 are reserved for eth1, you can write script as cron to rotate them every day.

But you have to make sure these two things:

• These 3 IP addresses are translated to 3 different public IPs on your router or firewall.
• The 3 IPs are legitimate addresses to send out email for domain in your header FROM, you need to define you dns records and reverse resolution properly. Otherwise your mails may be rejected by other servers.

Note: A few years ago, I manged 20+ email servers as part of my work, every day we need to send out tons of emails. Customers register to receive email updates from us, I am not a spammer :)