Reverse DNS: Difference between revisions

Back up to the Configuring Category
Back up to the Domains Category
From AAISP Support Site
Tags: Mobile edit Mobile web edit
 
(24 intermediate revisions by 4 users not shown)
Line 3: Line 3:


==About Reverse DNS==
==About Reverse DNS==
Normal (forward) DNS is a system that allows you to look up information about a domain/host name. For example, you might want to look up the IP address for the name my.firebrick.co.uk. To do this a normal DNS lookup is done for an A record called my.firebrick.co.uk and you get the answer 217.169.0.1.
Normal (forward) DNS is a system that allows you to look up information about a domain/host name. For example, you might want to look up the IP address for the name <code>my.firebrick.co.uk</code>. To do this, a normal DNS lookup is done for an '''A''' record called <code>my.firebrick.co.uk</code> and you get the answer <code>217.169.0.1</code>.


Reverse DNS is about finding a name for an IP address. The system is quite simple, the IP address is converted to a name and a lookup done in the usual way. The record type for a reverse DNS lookup is a PTR record not an A record.
Reverse DNS is about finding a name for an IP address. The system is quite simple, the IP address is converted to a name, but the lookup is done in the usual way. The record type for a reverse DNS lookup is a '''PTR''' record not an A record.


Because of the way DNS works, control is delegated at each level, so my.firebrick.co.uk is delegated so that the name servers for co.uk tell the name servers for firebrick.co.uk and so on. This is normally only at a couple of levels but it could be that at each level control of the domains below that level (i.e. with anything added to the start of the domain) are delegated to a new name server.
Because of the way DNS works, control is delegated at each level, so <code>my.firebrick.co.uk</code> is delegated so that the name servers for <code>co.uk</code> tell the name servers for <code>firebrick.co.uk</code> and so on. This is normally only at a couple of levels but it could be that at each level control of the domains below that level (i.e. with anything added to the start of the domain) is delegated to a new name server.


With IP addresses the control is delegated the other way, e.g. 217.x.x.x is delegated to RIPE, and 217.169.0.x is delegated to AAISP. To allow DNS to be used to turn IP addresses in to names, the reverse DNS name for an IP address is backwards. For example, 217.169.0.1 is 1.0.169.217.in-addr.arpa . This means that 217.in-addr.arpa is delegated to RIPE and 0.169.217.in-addr.arpa is delegated to AAISP.
With IP addresses the control is delegated the other way, e.g. <code>217.''x.x.x''</code> is delegated to RIPE, and <code>217.169.0.''x''</code> is delegated to AAISP. To allow DNS to be used to turn IP addresses into names, the reverse DNS name for an IP address is backwards. For example, <code>217.169.0.1</code> is <code>1.0.169.217.in-addr.arpa</code>. This means that <code>217.in-addr.arpa</code> is delegated to RIPE and <code>0.169.217.in-addr.arpa</code> is delegated to AAISP.


To delegate your IP addresses to you we have to find a way to delegate within the block of 256 addresses we have received from RIPE. Few customers have a complete block of 256 addresses. Those that do can simply be set up so that their own name servers are used in the delegation from RIPE. For anyone with less than 256 addresses we have to find a way to give you some of the addresses within a block - which DNS does not allow.
To delegate your IP addresses to you we have to find a way to delegate within the block of 256 addresses we have received from RIPE. Few customers have a complete block of 256 addresses. Those that do can simply be set up so that their own name servers are used in the delegation from RIPE. For anyone with less than 256 addresses we have to find a way to give you some of the addresses within a block - which DNS does not allow.
Line 18: Line 18:
==1. Auto Reverse (The Default)==
==1. Auto Reverse (The Default)==


Auto reverse is the default option that works by AAISP filling in a PTR record for each IP4 address and a corresponding forward A record as well so that all of your IP addresses will have a valid reverse entry automatically. This is mainly for customers who are not interested in setting up any reverse entries but need something in place to avoid problems with some servers. If you also use A+reverse records in a domain then your IPs will have two PTR records, both valid.
Auto reverse is the default option that works by AAISP filling in a PTR record for each IPv4 address and a corresponding forward A record as well so that all of your IP addresses will have a valid reverse entry automatically. This is mainly for customers who are not interested in setting up any reverse entries but need something in place to avoid problems with some servers. If you also use A+reverse records in a domain then your IPs will have two PTR records, both valid.


Most ADSL customers will have a small block of IPs which they can delegate using CNAME if they want. However all ADSL lines also have a single IP address for the external (WAN) side of their [[ADSL Router|ADSL router]]. This is always delegated as a single zone for the IP address.
Most ADSL customers will have a small block of IPs which they can delegate using CNAME if they want. However all ADSL lines also have a single IP address for the external (WAN) side of their [[ADSL Router|ADSL router]]. This is always delegated as a single zone for the IP address.


e.g.:
e.g.:
if you have the IPs 192.0.2.1 and 2001:DB8::1 reverses will be created of:
if you have the IPs <code>192.0.2.1</code> and <code>2001:DB8::1</code> reverses will be created of:
1.2.0.192.in-addr.arpa
<code>1.2.0.192.in-addr.arpa</code>
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
<code>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa</code>


==2. A+Reverse or AAAA+Reverse on a Domain We Host ==
==2. A+Reverse or AAAA+Reverse DNS records on a Domain We Host ==
Where you have a domain that we manage in our DNS, and want an IP we manage to refer to and from that name. To do this you can create an A+reverse record or an AAAA+Reverse in your domain DNS entries (instead of simply an A or AAAA record). This will automatically complete the corresponding reverse entry in our DNS mapping the IP address back to the name.This is usually the simplest way to handle reverse DNS when you also have a domain with us.
Where you have a domain that we manage in our DNS, and want an IP we manage to refer to and from that name. To do this you can create an A+reverse record or an AAAA+Reverse in your domain DNS entries (instead of simply an A or AAAA record). This will automatically complete the corresponding reverse entry in our DNS mapping the IP address back to the name.This is usually the simplest way to handle reverse DNS when you also have a domain with us.

If you do not have the domain with us, then we can add it specifically for adding Reverse entries. There is no charge for this.


[[File:Reverse-dns-a-reverse.png|border]]
[[File:Reverse-dns-a-reverse.png|border]]

=== ...if your domain is hosted elsewhere ===

If you administer a domain that is not hosted with us, then '''we''' can add an entry into our control system specifying your choice of domain name (optionally including subdomains) specifically to then allow you to set up entries on our systems that will define a number of individual reverse lookup mappings from your AAISP addresses to individual names below your ‘base’ domain name. There is no charge for this, '''however it must be requested'''; this can be confusing as you will not find the relevant configuration to which this section refers will not be visible until requested.
An example is given in the next section. On our systems you will define a number of records, one (or more) per address of yours, and we append your chosen domain name to each to form a reverse lookup (PTR) record that we define and publish for you. You can ask for several of your domain names to be set up on our systems. Such a domain name can include your choice of subdomain in your request.

===How to:===

For example, suppose you have an IP address from us such as <code>198.51.100.10</code> and you wish to define a PTR mapping (reverse lookup) to the name <code>fred-workstation.your-domain.example.com</code>.Important: If this domain is not hosted by us, you must first have asked staff to set up <code>your-domain.example.com</code> in our control system, but you only need to do so once. Then you would go into our control panel system, go to ''"Domains"'' and select the entry <code>your-domain.example.com</code> which we will have added for you following your request. Now for each individual reverse lookup entry you wish to define, enter for example the name <code>"fred-workstation"</code> into the first edit box. The value is not restricted to be just one single DNS label; it could contain dots for subdomains. Then enter the IP address in the edit box below, in this case <code>198.51.100.10</code>. You must remember to then click '''OK''' or '''Apply''' to create the record. You will see that a new record is now listed below.

Notice there is an option to select "ipv4 reverse" or "ipv6 reverse" lookup - IPv4 is correct in this example case. The procedure for IPv6 address reverse lookups is the same, just click the pop-out menu and select "ipv6 reverse".

You can also amend existing records or delete them by first clicking on one entry in the list of records below so that it becomes highlighted. You can then either alter the details of the record and then click '''Apply''', or you can click an ‘Erase’ button on the right.


==3. in-addr.arpa or ip6.arpa Zone==
==3. in-addr.arpa or ip6.arpa Zone==

We can create the suitable in-addr.arpa zone on your account, and from within that you can add PTR records. We can do a similar thing for [[IPv6]] too where we'll set up x.x.x.x.0.b.8.0.1.0.0.2.ip6.arpa zone for you. Contact Support Staff for this.
If you have a /24 or larger block (few customers will!) we can create a suitable <code>in-addr.arpa</code> zone on your account, and from within that you can add PTR records. We can do a similar thing for [[IPv6]] too where we'll set up <code>''x.x.x.x.''0.b.8.0.1.0.0.2.ip6.arpa</code> zone for you. Contact support staff for this.


[[File:Reverse-dns-inaddrarpa.png|border]]
[[File:Reverse-dns-inaddrarpa.png|border]]


==4. Generic Per IP Block==
==4. Generic Per-IP Block==
Support staff can add a name on a per IP block basis and we'll automatically create reverse records, e.g., if your block is 81.187.81.0/29 and we add the name hosts.testing.me.uk, then we'll create reverse records such as:
Support staff can add a name on a per-IP block basis and we'll automatically create reverse records, e.g., if your block is <code>81.187.81.0/29</code> and we add the name <code>hosts.testing.me.uk</code>, then we'll create reverse records such as:
0.hosts.testing.me.uk
<code>0.hosts.testing.me.uk</code>
1.hosts.testing.me.uk
<code>1.hosts.testing.me.uk</code>
2.hosts.testing.me.uk
<code>2.hosts.testing.me.uk</code>
etc...
etc.

Contact support staff for this.


=b. Delegating reverse DNS to your own nameservers=
Contact Support Staff for this.


<small>(Note - requirements: To be able to use the following methods you need access to a DNS server on which you can define PTR records. Some hosted DNS systems only provide administrative access through a user-friendly web ‘control panel’, which may not be sufficiently full-featured.)</small>
=b. Delegating Reverse DNS to your own nameservers=


We have two main ways to solve this, and you can select which you prefer using the control pages. In both cases the task is to set up the name servers which you manage and which will give the answers for reverse DNS queries. The Reverse DNS name server boxes on the control pages let you specify one to six name servers (by name, not by IP address) for you name server(s). Don't put a dot on the end of the name though.
We have two main ways of setting up the delegation of reverse DNS to your own nameservers, and you can select which you prefer using the control pages. In both cases the task is to set a reference on our system to the name servers that you manage and that will give the answers for reverse DNS queries. The reverse DNS name server boxes on the control pages let you specify one to six name servers (by name, not by IP address) for your name server(s). Don't put a dot on the end of the name though.


[[File:Reverse-dns-delegation.png|none|frame|Delegating reverse DNS to your own nameservers]]
[[File:Reverse-dns-delegation.png|none|frame|Delegating reverse DNS to your own nameservers. Enter your DNS hostnames in to the boxes, not IP addresses]]


This setting is found on the control pages under the link to your Login. This will apply to IPv4 and [[IPv6]].
This setting is found on the control pages under the link to your Login. This will apply to IPv4 and [[IPv6]].


==1. Delegation by NS==
===1. Delegation by NS===


Delegation by NS works by putting your name server in our DNS for each of your addresses. e.g. if you had 217.169.0.0-3 then we would put your name servers for each entry 0.0.169.217.in-addr.arpa, 1.0.169.217.in-addr.arpa,2.0.169.217.in-addr.arpa,3.0.169.217.in-addr.arpa . This would mean you can create 4 separate zone files each of which has to normal SOA records, etc., and a single PTR record with the name for that IP address. This is logically the correct way of doing it as the reverse DNS zone is delegated at each level of control right down to the IP address level. It is rather tedious to set up lots of zone files though, especially if you have, say, 128 addresses.
Delegation by NS works by putting your name server in our DNS for each of your addresses. e.g. if you had <code>217.169.0.0-3</code> then we would put your name servers for each entry <code>0.0.169.217.in-addr.arpa</code>, <code>1.0.169.217.in-addr.arpa</code>, <code>2.0.169.217.in-addr.arpa</code>, <code>3.0.169.217.in-addr.arpa</code>. This would mean you can create four separate zone files each of which has normal SOA records etc., and a single PTR record with the name for that IP address. This is logically the correct way of doing it as the reverse DNS zone is delegated at each level of control right down to the IP address level. It is rather tedious to set up lots of zone files though, especially if you have, say, 128 addresses.


Remember that you also have a WAN address which may be completely different from your other addresses, and the reverse DNS is also delegated to your name servers for this too.
Remember that you also have a WAN address which may be completely different from your other addresses, and the reverse DNS is also delegated to your name servers for this too.


==2. Delegation by CNAME ==
===2. Delegation by CNAME ===


Delegation by CNAME is a way to delegate a block of addresses to you so that you only have one zone file to worry about. The way this works is that we put a CNAME record for each address indicating that the answer is found under a different name. We then delegate that different name to your name servers. There are several ways to do this, but we use the system of first-last.restofzone.in-addr.arpa. e.g. if you had 217.169.0.0-3 we would delegate a zone 0-3.0.169.217.in-addr.arpa to your name server(s) and add CNAME entries for each IP, e.g. 1.0.169.217.in-addr.arpa with CNAME to 1.0-3.0.169.217.in-addr.arpa .
Delegation by CNAME is a way to delegate a block of addresses to you so that you only have one zone file to worry about. The way this works is that we put a CNAME record for each address indicating that the answer is found under a different name. We then delegate that different name to your name servers. There are several ways to do this, but we use the system of <code>''first''-''last''.''restofzone''.in-addr.arpa</code>. e.g. if you had <code>217.169.0.0</code>-<code>3</code> we would delegate a zone <code>0-3.0.169.217.in-addr.arpa</code> to your name server(s) and add CNAME entries for each IP, e.g. <code>1.0.169.217.in-addr.arpa</code> with CNAME to <code>1.0-3.0.169.217.in-addr.arpa</code>.


Your WAN address and any other single addresses are still individually delegated as their own zone as above.
Your WAN address and any other single addresses are still individually delegated as their own zone as above.


==IPv6 Reverse Delegation==
===IPv6 Reverse Delegation===
IPv6 is delegated at /48 or lower by NS
IPv6 is delegated at /48 or lower by NS


==Reverse Delegation for /24 or larger==
===Reverse Delegation for /24 or larger===
If you have a block of 256 addresses or more, then reverse DNS delegation is done at the /24 level and setting CNAME or NS has the same effect. This means you are responsible for an entire reverse zone without the need for special CNAME entries, etc. Most people do not have such a large block of addresses.
If you have a block of 256 addresses or more, then reverse DNS delegation is done at the /24 level and setting CNAME or NS has the same effect. This means you are responsible for an entire reverse zone without the need for special CNAME entries, etc. Most people do not have such a large block of addresses.



Latest revision as of 10:04, 13 September 2024


About Reverse DNS

Normal (forward) DNS is a system that allows you to look up information about a domain/host name. For example, you might want to look up the IP address for the name my.firebrick.co.uk. To do this, a normal DNS lookup is done for an A record called my.firebrick.co.uk and you get the answer 217.169.0.1.

Reverse DNS is about finding a name for an IP address. The system is quite simple, the IP address is converted to a name, but the lookup is done in the usual way. The record type for a reverse DNS lookup is a PTR record not an A record.

Because of the way DNS works, control is delegated at each level, so my.firebrick.co.uk is delegated so that the name servers for co.uk tell the name servers for firebrick.co.uk and so on. This is normally only at a couple of levels but it could be that at each level control of the domains below that level (i.e. with anything added to the start of the domain) is delegated to a new name server.

With IP addresses the control is delegated the other way, e.g. 217.x.x.x is delegated to RIPE, and 217.169.0.x is delegated to AAISP. To allow DNS to be used to turn IP addresses into names, the reverse DNS name for an IP address is backwards. For example, 217.169.0.1 is 1.0.169.217.in-addr.arpa. This means that 217.in-addr.arpa is delegated to RIPE and 0.169.217.in-addr.arpa is delegated to AAISP.

To delegate your IP addresses to you we have to find a way to delegate within the block of 256 addresses we have received from RIPE. Few customers have a complete block of 256 addresses. Those that do can simply be set up so that their own name servers are used in the delegation from RIPE. For anyone with less than 256 addresses we have to find a way to give you some of the addresses within a block - which DNS does not allow.

a. Have AAISP Manage the Reverse DNS

There are a number of ways to do this...

1. Auto Reverse (The Default)

Auto reverse is the default option that works by AAISP filling in a PTR record for each IPv4 address and a corresponding forward A record as well so that all of your IP addresses will have a valid reverse entry automatically. This is mainly for customers who are not interested in setting up any reverse entries but need something in place to avoid problems with some servers. If you also use A+reverse records in a domain then your IPs will have two PTR records, both valid.

Most ADSL customers will have a small block of IPs which they can delegate using CNAME if they want. However all ADSL lines also have a single IP address for the external (WAN) side of their ADSL router. This is always delegated as a single zone for the IP address.

e.g.: if you have the IPs 192.0.2.1 and 2001:DB8::1 reverses will be created of:

1.2.0.192.in-addr.arpa
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa

2. A+Reverse or AAAA+Reverse DNS records on a Domain We Host

Where you have a domain that we manage in our DNS, and want an IP we manage to refer to and from that name. To do this you can create an A+reverse record or an AAAA+Reverse in your domain DNS entries (instead of simply an A or AAAA record). This will automatically complete the corresponding reverse entry in our DNS mapping the IP address back to the name.This is usually the simplest way to handle reverse DNS when you also have a domain with us.

Reverse-dns-a-reverse.png

...if your domain is hosted elsewhere

If you administer a domain that is not hosted with us, then we can add an entry into our control system specifying your choice of domain name (optionally including subdomains) specifically to then allow you to set up entries on our systems that will define a number of individual reverse lookup mappings from your AAISP addresses to individual names below your ‘base’ domain name. There is no charge for this, however it must be requested; this can be confusing as you will not find the relevant configuration to which this section refers will not be visible until requested. An example is given in the next section. On our systems you will define a number of records, one (or more) per address of yours, and we append your chosen domain name to each to form a reverse lookup (PTR) record that we define and publish for you. You can ask for several of your domain names to be set up on our systems. Such a domain name can include your choice of subdomain in your request.

How to:

For example, suppose you have an IP address from us such as 198.51.100.10 and you wish to define a PTR mapping (reverse lookup) to the name fred-workstation.your-domain.example.com.Important: If this domain is not hosted by us, you must first have asked staff to set up your-domain.example.com in our control system, but you only need to do so once. Then you would go into our control panel system, go to "Domains" and select the entry your-domain.example.com which we will have added for you following your request. Now for each individual reverse lookup entry you wish to define, enter for example the name "fred-workstation" into the first edit box. The value is not restricted to be just one single DNS label; it could contain dots for subdomains. Then enter the IP address in the edit box below, in this case 198.51.100.10. You must remember to then click OK or Apply to create the record. You will see that a new record is now listed below.

Notice there is an option to select "ipv4 reverse" or "ipv6 reverse" lookup - IPv4 is correct in this example case. The procedure for IPv6 address reverse lookups is the same, just click the pop-out menu and select "ipv6 reverse".

You can also amend existing records or delete them by first clicking on one entry in the list of records below so that it becomes highlighted. You can then either alter the details of the record and then click Apply, or you can click an ‘Erase’ button on the right.

3. in-addr.arpa or ip6.arpa Zone

If you have a /24 or larger block (few customers will!) we can create a suitable in-addr.arpa zone on your account, and from within that you can add PTR records. We can do a similar thing for IPv6 too where we'll set up x.x.x.x.0.b.8.0.1.0.0.2.ip6.arpa zone for you. Contact support staff for this.

Reverse-dns-inaddrarpa.png

4. Generic Per-IP Block

Support staff can add a name on a per-IP block basis and we'll automatically create reverse records, e.g., if your block is 81.187.81.0/29 and we add the name hosts.testing.me.uk, then we'll create reverse records such as:

0.hosts.testing.me.uk
1.hosts.testing.me.uk
2.hosts.testing.me.uk
etc.…

Contact support staff for this.

b. Delegating reverse DNS to your own nameservers

(Note - requirements: To be able to use the following methods you need access to a DNS server on which you can define PTR records. Some hosted DNS systems only provide administrative access through a user-friendly web ‘control panel’, which may not be sufficiently full-featured.)

We have two main ways of setting up the delegation of reverse DNS to your own nameservers, and you can select which you prefer using the control pages. In both cases the task is to set a reference on our system to the name servers that you manage and that will give the answers for reverse DNS queries. The reverse DNS name server boxes on the control pages let you specify one to six name servers (by name, not by IP address) for your name server(s). Don't put a dot on the end of the name though.

Delegating reverse DNS to your own nameservers. Enter your DNS hostnames in to the boxes, not IP addresses

This setting is found on the control pages under the link to your Login. This will apply to IPv4 and IPv6.

1. Delegation by NS

Delegation by NS works by putting your name server in our DNS for each of your addresses. e.g. if you had 217.169.0.0-3 then we would put your name servers for each entry 0.0.169.217.in-addr.arpa, 1.0.169.217.in-addr.arpa, 2.0.169.217.in-addr.arpa, 3.0.169.217.in-addr.arpa. This would mean you can create four separate zone files each of which has normal SOA records etc., and a single PTR record with the name for that IP address. This is logically the correct way of doing it as the reverse DNS zone is delegated at each level of control right down to the IP address level. It is rather tedious to set up lots of zone files though, especially if you have, say, 128 addresses.

Remember that you also have a WAN address which may be completely different from your other addresses, and the reverse DNS is also delegated to your name servers for this too.

2. Delegation by CNAME

Delegation by CNAME is a way to delegate a block of addresses to you so that you only have one zone file to worry about. The way this works is that we put a CNAME record for each address indicating that the answer is found under a different name. We then delegate that different name to your name servers. There are several ways to do this, but we use the system of first-last.restofzone.in-addr.arpa. e.g. if you had 217.169.0.0-3 we would delegate a zone 0-3.0.169.217.in-addr.arpa to your name server(s) and add CNAME entries for each IP, e.g. 1.0.169.217.in-addr.arpa with CNAME to 1.0-3.0.169.217.in-addr.arpa.

Your WAN address and any other single addresses are still individually delegated as their own zone as above.

IPv6 Reverse Delegation

IPv6 is delegated at /48 or lower by NS

Reverse Delegation for /24 or larger

If you have a block of 256 addresses or more, then reverse DNS delegation is done at the /24 level and setting CNAME or NS has the same effect. This means you are responsible for an entire reverse zone without the need for special CNAME entries, etc. Most people do not have such a large block of addresses.