Preface: I am not a Windows admin. I am a Linux admin.
I have a Windows 2016 server with AD DNS that handles internal DNS forward and reverse lookups.
Somewhere, somehow, some process is automatically adding PTR reverse lookup records for CNAMEs. This is breaking our Kerberos authentication for SSH between servers, as the canonical lookup of a host that has CNAMEs will return too many FQDNs and Kerberos balks.
The Kerberos SSH problem was resolved when I removed the CNAME reverse lookups.
Then, the next day, presto! all the PTR -> CNAME entries were back in AD DNS
Example, from the top (I've changed the names to be generic, but the overall setup is the same):
A pair of network operations boxes that run SMTP and Squid proxy have A records
netops01.example.com -> 10.1.2.3
netops02.example.com -> 10.4.5.6
And this same box has CNAMEs
netops
proxy
mailserver
For some reason, there are reverse lookup entries in AD DNS like so:
3.2.1.10.in-addr.arpa. 3600 IN PTR netops.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR proxy.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR mailserver.example.com
3.2.1.10.in-addr.arpa. 3600 IN PTR netops01.example.com
The last entry is the A record for this host. All the others are CNAMEs to that A record + another A record for the second host.
Neither I or the other admin that handles ops created these. Nor did we set up any scheduled task to recreate reverse lookups. Nor can I imagine a good reason to have a reverse lookup point to CNAMEs or to multiple results. (Maybe there is a good reason? I've never done this before, though)
So, I deleted all the reverse lookups except the A record one. Kerberos SSH works!
Next day, the records all returned.
I'm not even sure how on Windows to troubleshoot (thus my preface at the top)
- How can I find in the Windows logs what performed this action?
- Is there something about Windows DNS that would automatically do this? (Create PTRs for CNAMEs)
- Is there a way to turn that off?
- Anything else I'm missing?
Answering Myself
I found what I was missing. Two things:
These were not, in fact, CNAMEs. They were A records with multiple hosts listed for the purpose of load balancing.
Since they were A-records, they did have a checkbox along the lines of "automatically create related PTR record"
I unchecked that for these records. That didn't actually seem to fix the problem described here: the PTR records are still being rebuilt each morning.
However, that's not the solution I was looking for, anyway. The underlying problem was that Kerberos wasn't working. Well, that was easy to resolve by adding this "rdns" setting to /etc/krb5.conf
[libdefaults]
rdns = false
By default, Windows always tries to register both forward and reverse lookups using dynamic DNS.
You can disable this functionality either on the clients that are registering themselves, or on the DNS server, or both. The quickest way to resolve your immediate problem would be to disable dynamic DNS support for the relevant reverse lookup zones. In the longer run, depending on your circumstances, you may want to disable it in the forward zones as well.
I found a screenshot showing the relevant setting on the DNS server here. You want to select "None".
There is more information on disabling dynamic update on the clients here and here. This isn't essential but otherwise the clients will generate periodic event log messages because the dynamic DNS requests are being rejected by the server.
NB: you should not disable dynamic updates on the Active Directory domain controllers or for the Active Directory zones such as
_msdcs
that are used by the domain controllers to store information about the domain infrastructure. This will break Active Directory.