3

I was wondering how exactly the big companies go about managing all the IP addresses that their public servers use, especially in respect to setting up correct PTR-records.

This is very important, for example, when sending lots of email from production environments, as the receiving mail servers will most likely perform a FCrDNS check to see if PTR and HELO/EHLO match. If it doesn't, you're pretty much guaranteed to be flagged as spam.

What I've found out myself is that facebook and Google do this by assigning third-level A-records for (as it seems) every IP address that they own and then using that in the respective PTR-record. An example would be Google's famous 8.8.8.8 address, which is mapped to google-public-dns-a.google.com. Another Google IP, 173.194.113.127, is mapped to fra02s22-in-f31.1e100.net (nice domain there, Google admins).

Using a third-level subdomain seems to be the most logical, as you can then use a wildcard certificate for your domain in SSL/TLS applications.

In my case, I was thinking about assigning subdomain with a scheme like _srv_foobar.mydomain.tld to our servers. Starting with an underscore would indicate that this subdomain is used for managing purposes, like _spf.microsoft.com or _netblocks.google.com. Is this a valid and sound approach? As mentioned in the comments, underscores are not allowed in hostnames, which makes this approach impossible.

Is it the common practice to create an A-record for every IP-address you use? Are there naming schemes that are preferred or should be avoided? I would love to hear about this topic from somebody who has been managing many dozens, hundreds or even thousands of IP addresses. Thanks!

Kevin F
  • 31
  • 3
  • 1
    You should not use `_` in the names that your PTR records are pointing to. – kasperd Feb 19 '16 at 10:22
  • @kasperd Indeed. I forgot that host names are restricted to alpha numerical and dashes (a-z 0-9 -). Any suggestions to differentiate those PTR-only names from other subdomains? – Kevin F Feb 19 '16 at 10:24
  • As you can see Google chose to use an entirely separate domain name for the purpose. If you don't want to do that, you can allocate one subdomain to use for automatically generated PTR and coresponding AAAA and A records. – kasperd Feb 19 '16 at 10:31
  • @kasperd By allocating one subdomain you mean going fourth-level? I'd like to avoid that or using a separate domain because of our existing TLS-certificates, which only match second- and third-level. It's a nice plus if those don't only work with the domains used for HTTP-requests but also with any communication using the hostname. I'm currently leaning towards `srv-foobar.mydomain.tld`. – Kevin F Feb 19 '16 at 10:39
  • You can do that as well, you just have to pay more attention to the potential MITM and XSS attacks. – kasperd Feb 19 '16 at 10:44

1 Answers1

3

Flagging this as primarily opinion based, but here's a few notes anyway. The opinions below are reflective of DNS operating practices at the MSO scale.

I would love to hear about this topic from somebody who has been managing many dozens, hundreds or even thousands of IP addresses.

'Sup.

Is it the common practice to create an A-record for every IP-address you use?

Some companies may, but that's overkill. Typically what happens is that a very large block of IP space is assigned to a region for allocation to customers (we're talking way more than a /24 here), and as part of preparing that network for use the forward and reverse records are pre-generated. From that point onward it doesn't matter how many times the segments of that IP space are shuffled between customers, it's there and ready to go.

Outside of that we typically do not pre-allocate IP space in DNS. It's messy, and it needlessly bloats your resource consumption. To put things into perspective, our BIND secondaries take slightly more than ten minutes to finish loading all of the records into memory and begin serving queries. If we were to have forward and reverse records for all of our IP space, not just customer stuff, I don't even want to imagine how bad that would get.

As a side note, if your DNS software supports synthesized forward and reverse records for ranges of IPs, you may want to explore that. BIND does not implement this.

Are there naming schemes that are preferred or should be avoided?

Use what works best for your needs, but typically it's a good idea to use a naming convention that indicates the physical region that IP address is assigned to. At-a-glance identification makes it easier for your employees to know where that traffic is coming from, whether they're a field engineer or someone in the abuse department. The larger your company is, and the more business units it has, the more value you get out of this.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Thanks for the interesting answer! I was guessing from the second Google reverse record which I've mentioned, that Google is doing exactly what you said about region awareness: `fra` most probably means Frankfurt in this case, as I was resolving that IP from Germany. I'll keep that in mind if we ever start having multiple sites of operation :) What kind of domain(s) do you use when assigning PTRs? Is it one that is exclusively used for this purpose of mapping hostnames to addresses, or do you use those domains for application traffic as well? – Kevin F Feb 19 '16 at 16:25
  • @Kevin We use a `.example.com` scheme with each region having its own zone file. They are shared with other DNS entries as well, and by not having them all in one zone you reduce the amount of clutter per file. – Andrew B Feb 19 '16 at 18:04