11

I've lot of *.in-addr.arpa domains requests in my OpenDNS account. I know this should be normal and it's about reverse DNS.

I've been reading here and there but still I can't really get how it works and why I get so much requests (higher number than www.google.com).I'd just need someone that, like Einstein suggested, could explain to me what this reverse DNS is used for like he would explain it to his grandmother.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Pitto
  • 2,009
  • 10
  • 33
  • 49

3 Answers3

17

Reverse DNS is a mapping from an IP address to a DNS name. So it's like DNS, but backwards. If you are assigned IP addresses you have to setup reverse DNS to tell the world what the addresses are used for.

In practice, if you want to know what system is at 216.239.32.10 you design what is called a reverse lookup by reverting the ip address and adding in-addr.arpa to it. So it looks like this: 10.32.239.216.in-addr.arpa. A PTR record should then tell you what system it is. The dig tool automates this with the -x switch. 

pehrs$ dig -x 216.239.32.10

; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 216.239.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49177
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;10.32.239.216.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
10.32.239.216.in-addr.arpa. 86400 IN    PTR ns1.google.com.

;; AUTHORITY SECTION:
32.239.216.in-addr.arpa. 86400  IN  NS  ns1.google.com.
32.239.216.in-addr.arpa. 86400  IN  NS  ns2.google.com.
32.239.216.in-addr.arpa. 86400  IN  NS  ns4.google.com.
32.239.216.in-addr.arpa. 86400  IN  NS  ns3.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.     205358  IN  A   216.239.34.10
ns1.google.com.     205358  IN  A   216.239.32.10
ns4.google.com.     205358  IN  A   216.239.38.10
ns3.google.com.     205358  IN  A   216.239.36.10

;; Query time: 63 msec
;; SERVER: x#53(x)
;; WHEN: Tue Jan  4 13:35:14 2011
;; MSG SIZE  rcvd: 204

Notice the PTR record. It tells us that 216.239.32.10 is in fact ns1.google.com.

pehrs
  • 8,749
  • 29
  • 46
7

The short version is that reverse DNS is used to get a domain name from an IP address, while normal DNS is used to get an IP address from a domain name.

The way it actually works is that there's a dummy top-level domain called in-addr.arpa, and to find the domain name for IP address A.B.C.D, the DNS client does a lookup on D.C.B.A.in-addr.arpa. There are various complicated rules for delegation of sub-domains of in-addr.arpa to ensure that those requests go to the correct place. The Wikipedia article is OK, although perhaps a little terse: http://en.wikipedia.org/wiki/Reverse_DNS_lookup.

What it means to you is that if you own a block of IP addresses, and you want to be able to create reverse DNS records for those addresses so that their domain names can be looked up, you need to make sure that whoever you got the block from has set up an appropriate delegation so that you manage a sub-domain of in-addr.arpa and can thus create the appropriate DNS PTR records.

Mike Scott
  • 7,903
  • 29
  • 26
  • +1 for mentioning the dummy TLD .arpa, which is what confuses most people when talking about reverse DNS. – Massimo Jan 04 '11 at 12:45
  • 6
    Actually, there is nothing dummy about .arpa. It's a normal TLD, only that registration in .arpa is very limited. – pehrs Jan 04 '11 at 13:07
  • I know this thread is old, but could somebody clarify what it means to "own" a block of IP addresses? Is the owner considered to be the person who uses IP space (who could then manage the reverse lookup zones and PTR records in the same place that their name servers are configured for DNS host records) -- or is the owner considered to be the ISP who leases a block of IPs to a company/individual to be used for public endpoints (such as web servers, email servers, VPN endpoints, etc). To clarify my Q: does it matter WHERE public PTR records are managed? – SamErde May 12 '14 at 15:23
  • @SturdyErde It doesn't matter to whoever looks the name up. It could matter to you if you use the address space and want to make changes to the reverse zone. As for who owns the address space, I would say that whoever got the addresses assigned to them from the RIR (ARIN/RIPE/APNIC/...) owns them but they may of course still delegate further in DNS (e.g. to a customer of theirs) if they so desire. – Håkan Lindqvist Jul 16 '14 at 21:59
  • Thanks, @HåkanLindqvist. So if my organization gets a block of public IPs from an ISP, they own the IPs, but we are the delegate who can manage them where we see fit. My follow-up question is, can we as the delegate specify name servers and manage the reverse zone wherever we wish, or are we limited to making changes through the owner of the IPs? (Curious because an Exchange consultant made comments that made me question my understanding of where reverse zones can be managed.) – SamErde Jul 18 '14 at 14:42
  • @SturdyErde If your ISP makes the appropriate delegations to your own name servers then you can manage the reverse zone yourself. If they can't or won't, then you'll have to get them to make changes for you. It's entirely dependent on your ISP's policies and level of technical competence. – Mike Scott Jul 18 '14 at 15:29
2

Since you asked for use of reverse DNS, consider the following.

Someone wants to deliver an email to your mail server. It claims to be the server mail.example.com. You can than use a reverse lookup to check whether his IP actually belongs to the address mail.example.com. If not, you know that there is probably something wrong. If you can not even find a reverse entry, it is even more suspicious. (At least in the last situation the mail will probably be spam and be treated as such by many providers.)

The same holds for other connections as well. In fact, sshd will mark a connection attempt as POSSIBLE BREAK-IN ATTEMPT! if the reverse and forward entry do not match. The default behavior is to ignore it though.

Carsten Thiel
  • 421
  • 3
  • 6