Reverse DNS for multiple sites on same external subnet

Discussion in 'ISPConfig 3 Priority Support' started by DantePasquale, Jul 17, 2016.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Hi Everyone,
    OK, I'm thoroughly confused. Number 1 by my OLD ISP not deleting the PTR records for and and now they can't delete them. Then add that my new ISP says I have to override their PTR records for the new IPs for the above mentioned sites!
    So, here's the info:

    My External Subnet should be using should be using

    I've never set up reverse DNS for a subnet that has multiple domains.
    What is the best/proper way to do this?
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    There is no difference betwwen rdns for a single-ip or more ips. Just define one rdns-record for each ip.
  3. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Can I do that via ISPConfig CP? I don't see a template for the reverse DNS or whatever the proper name is ;)

    And I think I've got a big mess on my hands with this. If I visit it can't find domain entries for my domains and I'm not sure why. traceroute to any of my IPs is not always succeeding and sometimes takes vastly different routes.

    If I specify the IP of the domain on dig, it returns what I expect -- dig @ -t SOA
    So it's basically working but not authoritative????
    The domain is at and I've set their DNS to point to and which it can't see to find.
    Very confused right now :(

    From ISPConfig point of view, do I need 1 IP for each:
    1. website?
    2. mail?
    3. ns?

    or can I combine them, for example ns and mail have the same IP?

    [] returned an authoritative response in 63 ms:
    Answer records
    name    class    type    data    time to live    IN    MX   
    preference:    10
    3600s    (1h)    IN    NS    8640s    (2h 24m)    IN    TXT    v=spf1 ip4: +all    86400s    (1d)    IN    SOA   
    email:    [email protected]
    serial:    2016071706
    refresh:    28800
    retry:    7200
    expire:    604800
    minimum ttl:    86400
    8640s    (2h 24m)
    Authority records
    Additional records
    name    class    type    data    time to live    IN    A    3600s    (1h)    IN    A    86400s    (1d)
    -- end --
    Last edited: Jul 19, 2016
  4. DantePasquale

    DantePasquale Member HowtoForge Supporter

    hmmm, I gave up for now and put all DNS on just to get things working tonight. That has issues too, but I can deal with those, kind of ;)
  5. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Just a quick update - I setup just an email server through ISPConfig on and let everything else default. I used's DNS manager and have point to Linode's DNS servers ( and now emails can be sent and received. Websites in that DNS point to IPs on my server that's inside of AT&T now and those work. So, I'm not sure how to proceed :)

    1. Can I share IP addresses for multiple uses (ns1 == www == mail)
    2. In that scenario, will having reverse DNS for mail mess up www? I'm not 100% sure on how vhosts use or don't use reverse DNS
    3. In order to get the websites to work, I still have to have named running on my server, but I need to make sure that linode DNS is the authoritative DNS. Is this right?

    Thanks, Dante
  6. florian030

    florian030 Well-Known Member HowtoForge Supporter

    1. yes
    2. the rdns-record are import to send mail. just make sure, the rdns matches the hostname for the server.
    3. if you use the linode dns, you don't need bind on your server
  7. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Thanks for the info -- I'm going to try to make the linode instance go away and run everything on my servers again ;)
    But, in the meantime I installed your DKIM patch and set that up but one of the dkim validators is complaining about the public key being invalid. Other validators just display it and don't tell me anything at all. It looks OK to me so I'm not sure how to proceed.

    Here's the output:
    DKIM Information:
    DKIM Signature
    Message contains this DKIM Signature:
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h=
        :message-id; s=1468988950; t=1469073561; x=1470887962; bh=w4Va78
        4NFqLUcWtHceBS+rkBsTQvT0TDTU2B+2dClxI=; b=SGWOuU7vCN3z0/Y/BEPBvv
    Signature Information:
    v= Version:         1
    a= Algorithm:       rsa-sha256
    c= Method:          relaxed/simple
    d= Domain:
    s= Selector:        1468988950
    q= Protocol:       
    bh=                 w4Va78
    h= Signed Headers:  content-transfer-encoding:content-type:content-type:mime-version
    b= Data:            SGWOuU7vCN3z0/Y/BEPBvv
    Public Key DNS Lookup
    Building DNS Query for
    Retrieved this publickey from DNS: "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjYUZjEAOXVqaCLcSIKYYCiAnIdip4xK62Yey0rA0ziamHZ0eBtwzcU/jHVK40IEtt4GuqqLX1L/4dpqgnmTNc3PBtFOBu83xlgu5ANWYLvfEwv/Zf66wy0TFxQ9I6MBkotTbgCCyIbxMW/OcIbxXHlc4qZNIBSd6BE4lGJ8+L4QIDAQAB"
    Validating Signature
    result = invalid
    Details: public key: invalid data
  8. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Seems, that the queried dns does not have your current public-key yet.
  9. DantePasquale

    DantePasquale Member HowtoForge Supporter

    I think the problem was that I entered the TXT entries with double quotes around them and then the receiver couldn't find the TXT starting with v= because it was getting back "v=

    Thinks look OK.. Thanks. Now I just have to have some time to get the permanent email server working. I wonder if I should re-install ISPConfig instead of upgrading since so much has changed?

Share This Page