Reverse DNS basics [again] [Was: Re: help with Reverse Lookup and PTR's]

Joseph S D Yao jsdy at
Mon Oct 29 13:45:22 UTC 2001

Don't NOSPAM this mailing list.

On Sat, Oct 27, 2001 at 09:25:59PM -0500, Phil Schuman wrote:
>   my head is spinning on all this DNS stuff :)
>   As I see it...
>   This reverse DNS lookup is a parallel concept
>   to the normal DNS system -
>   The DNS "A" record defines - --->
>   and they are stored with the nameserver for the "domain"
>   and the nameserver is obtained via lookup for the "domain".
>   however -
>   for a reverse IP lookup - - (our mail server)
>   all you have is an IP address to initially work with -
>   It seems like ARPA has a special "domain"
>   such as "" that is the real placeholder,
>   and then the IP address (reversed) is prefixed.
>   The records in the local DNS server
>   define the "PTR" records - or pointer records.
>   However, I'm not sure how they propagate back
>   to the ARPA domain ???????
>   And what happens with address conflicts,
>   or stealing of addresses ?????????
>   So - as with and other "registering" providers,
>   You may get "A" records to ref your servers,
>   but I don't think there are any corresponding PTR records,
>   hence no Reverse Lookup is possible....
>   For us - with our - mail server name -
>   the  nameserver at ""   has the various "A" records,
>   but doesn't seem to have any PTR records.
>   And our backup nameserver
>   has the "A" records, and a handful of PTR records...
>   but the "itsi2" nameserver may be interrogated 1st by the net,
>   so the Reverse Lookup will again fail -
>     Phil - now with a big DNS headache :)

Does this help?  You seem to have most of it already.

> Subject: Reverse DNS, IP addr -> name via PTR
> Date: Thu, 5 Aug 1999 13:27:38 -0400 (EDT)
> OK, one more time, since there has been a spate of questions about this
> again ...
> If you have a domain and a set of IP addresses, e.g., and
>, then you will not only want to do forward DNS lookups from
> host names to IP addresses, but also reverse DNS lookups from the host
> names to the IP addresses.  This does NOT happen automatically!
> Instead, you have to construct a separate reverse DNS zone whose name
> is based on the portion of the network that you own.  [I'll mention
> what to do if you don't own the whole network portion, later.]
> There is nothing magic about a reverse DNS zone.  By convention, it is
> based on the "" domain.  Its name is constructed on the
> REVERSED IP address of the network - in this case,
> In all ways, it is a regular domain - its parent domain, e.g., is
> - we'll get to why that's important in a minute.
> In the named.boot or named.conf, on your master [primary] name server,
> you associate the name of the domain/zone with the name of some file
> that contains the zone information.  In this zone file, you will have,
> as always:
> 	$TTL	nnnnnnn
> 	@	IN  SOA	...
> 		IN  NS
> and then you must put your pointers from the host numbers back to the
> names, e.g.:
> 	1	IN  PTR
> 	2	IN  PTR
> 	3	IN  PTR
> 	...
> 	42	IN  PTR
> 	...
> Now, giving your local name server all of this information, it will
> return any reverse-DNS query with the proper information.  E.g.,
> queries of the form:
> 	nslookup
> 	nslookup  -type=ptr
> 	dig  ptr
> will return the host name as part of the answer.
> Internally to your network, if you have configured your /etc/resolv.conf
> file to point to's IP address, then you don't even have to
> tell it to ask  Queries will automatically go to that name
> server.
> EXTERNALLY to your network, it's a different story.  If you want
> others to also see your reverse DNS [and you usually do], you need to
> get the co-operation of whoever owns your reverse DNS parent domain,
>  They must list "3" as a subdomain of their domain,
> with an NS record in their zone file pointing to your name server.
> Then someone asking from the outside about will
> be able to go to the root server, find out who owns, and
> from them who owns, and from them who your name server
> is ... and thence get the name.  Just exactly as in forward DNS lookups.
> NOW, if your network does not break at an octet boundary, you must look
> at RFC 2317, which has a trick to create a subnetwork that includes
> your network name and bitsize, and then have your hosts' IP addresses
> be names off that network.  You can use the trick detailed in RFC 2317
> or one like it.  Believe me, it works.  But you need the co-operation
> of the owner of your parent network.
> If you only have a few IP addresses, or you have IP addresses from
> different networks, you will probably want to just leave forward and
> reverse DNS entries to the owners of those networks.  Again, they have
> to be willing.
> Fair 'nuff?

Joe Yao				jsdy at - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list