8/25/20

1

1 v1.1

1

2 v1.1

Reverse DNS for IPv4 & IPv6WEBINAR COURSE

2

8/25/20

2

3 v1.1

• What is Reverse DNS?• Reverse DNS in IPv4• Reverse Delegation• Reverse DNS in IPv6

Overview

3

4 v1.1

• DNS is a distributed, hierarchical system for translating objectso A critical piece of the Internet infrastructure

DNS Overview

Host Recursive DNS

GTLD

Authoritative DNS

Root

4

8/25/20

3

5 v1.1

• Reverse DNS (rDNS) maps IP addresses to domain names

What is Reverse DNS?

server1.apnic.netIPv4: 192.168.1.100IPv6: 2001:DB8::1

FORWARD DNS:

server1.apnic.net. A 192.168.1.100server1.apnic.net. AAAA 2001:DB8::100

REVERSE DNS:

$ORIGIN 1.168.192.in-addr.arpa.100 PTR server1.apnic.net.

$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1.0.0.0 PTR server1.apnic.net.

Person (Host) Address (IPv4/IPv6)

5

6 v1.1

• Reverse lookup• Diagnostics• Service denial

o Allow access when fully reverse delegated• Spam identification

o Failed reverse lookup results in a spam penalty score• Registration responsibilities

o APNIC members must make sure that all their address space are properly reverse delegated

Why use Reverse DNS?

6

8/25/20

4

7 v1.1

DNS Hierarchy Tree

Mapping numbers to names - ‘reverse DNS’net org com

whois

iana

www training

ws1

apnic

ws2

www

arpa

Root .

7

8 v1.1

• Address and Routing Parameter Area• RFC 3172

.arpa Zone

https://www.iana.org/domains/arpa

in-addr.arpa. 172800 IN NS a.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS b.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS d.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.

arpa

in-addr in-addr-servers ip6 ip6-servers

Root .

8

https://www.iana.org/domains/arpa

8/25/20

5

9 v1.1

Reverse DNS in IPv4

FQDN:

22.64.202.in-addr.arpa.

in-addr

202 203 204 210

64

22

net org com arpa

Root .

Follows the octet boundaries for each node.

9

10 v1.1

Create generic rDNS entries for the entire zone/block.

Reverse DNS in IPv4

REVERSE DNS for 192.168.1.0/24

1.1.168.192.in-addr.arpa. PTR node1.zone1.example.net.2.1.168.192.in-addr.arpa. PTR node2.zone1.example.net. 3.1.168.192.in-addr.arpa. PTR node3.zone1.example.net. 4.1.168.192.in-addr.arpa. PTR node4.zone1.example.net. 5.1.168.192.in-addr.arpa. PTR node5.zone1.example.net. 6.1.168.192.in-addr.arpa. PTR node6.zone1.example.net. 7.1.168.192.in-addr.arpa. PTR node7.zone1.example.net. 8.1.168.192.in-addr.arpa. PTR node8.zone1.example.net. 9.1.168.192.in-addr.arpa. PTR node9.zone1.example.net. 10.1.168.192.in-addr.arpa. PTR node10.zone1.example.net. ……254.1.168.192.in-addr.arpa. PTR node254.zone1.example.net.255.1.168.192.in-addr.arpa. PTR node255.zone1.example.net.

10

8/25/20

6

11 v1.1

$ORIGIN or @ denotes the suffix that will be appended to the record.

Reverse DNS in IPv4

REVERSE DNS for 192.168.1.0/24

$ORIGIN 1.168.192.in-addr.arpa.

1 PTR node1.zone1.example.net.2 PTR node2.zone1.example.net. 3 PTR node3.zone1.example.net. 4 PTR node4.zone1.example.net. 5 PTR node5.zone1.example.net. 6 PTR node6.zone1.example.net. 7 PTR node7.zone1.example.net. 8 PTR node8.zone1.example.net. 9 PTR node9.zone1.example.net. 10 PTR node10.zone1.example.net. ……254 PTR node254.zone1.example.net.255 PTR node255.zone1.example.net.

11

12 v1.1

• Follows the Internet addressing structure

• Reverse delegation is based on octet boundarieso /8, /16, and /24 delegations o > /24 but less than /16 – register each /24 zoneo < /24 delegations- Use “classless in-addr.arpa delegation” (RFC2317)

Reverse Delegation in IPv4

2317

12

8/25/20

7

13 v1.1

• For address prefixes larger than /24 but smaller than /16, create multiple zones – one for each /24.

Reverse Delegation in IPv4 - Larger than /24

REVERSE ZONE for 192.168.0.0/24

$ORIGIN 0.168.192.in-addr.arpa.1 PTR node1.zone1.example.net.2 PTR node2.zone1.example.net. 3 PTR node3.zone1.example.net. 4 PTR node4.zone1.example.net.5 PTR node5.zone1.example.net.

REVERSE ZONE for 192.168.1.0/24

$ORIGIN 1.168.192.in-addr.arpa.1 PTR node1.zone2.example.net.2 PTR node2.zone2.example.net. 3 PTR node3.zone2.example.net. 4 PTR node4.zone2.example.net. 5 PTR node5.zone2.example.net.

13

14 v1.1

• Delegate /25

Reverse Delegation in IPv4 – Classless REVERSE ZONE for 192.168.2.0/24

$ORIGIN 2.168.192.in-addr.arpa.

; /250/25 NS ns1.customer1.net.0/25 NS ns2.customer1.net.

1 CNAME 1.0/25.2.168.192.in-addr.arpa.2 CNAME 2.0/25.2.168.192.in-addr.arpa.3 CNAME 3.0/25.2.168.192.in-addr.arpa.…

; /25128/25 NS ns1.customer2.net.128/25 NS ns2.customer2.net.

129 CNAME 1.128/25.2.168.192.in-addr.arpa.130 CNAME 2.128/25.2.168.192.in-addr.arpa.131CNAME 3.128/25.2.168.192.in-addr.arpa....

14

8/25/20

8

15 v1.1

• Delegate /25

Reverse Delegation in IPv4 – Classless REVERSE ZONE FOR 192.168.2.0/25

$ORIGIN 0/25.2.168.192.in-addr.arpa.

1 PTR host1.customer1.net.2 PTR host2.customer1.net. 3 PTR host3.customer1.net. 4 PTR host4.customer1.net.5 PTR host5.customer1.net.

REVERSE ZONE FOR 192.168.2.128/25

$ORIGIN 128/25.2.168.192.in-addr.arpa.

129 PTR host1.customer2.net.130 PTR host2.customer2.net. 131 PTR host3.customer2.net. 132 PTR host4.customer2.net.133 PTR host5.customer2.net.

15

16 v1.1

• APNIC o manages the address blocks delegated in the regiono processes requests for reverse delegation of delegated blocks

• LIR and memberso Be familiar with APNIC procedureso Ensure that addresses are reverse-mappedo Maintain nameservers for allocationso Minimize pollution of DNS

Reverse Delegation - Responsibilities

16

8/25/20

9

17 v1.1

• Access MyAPNIC.• Create a whois object for the

reverse zone • Verify the nameserver and

domain set up• Provide FQDN of two

nameservers• Provide the maintainer

password to complete the change.

Reverse Delegation Procedures

Resources > Whois updates > Add > Object Type: domain

17

18 v1.1

Whois Domain Object

domain: 28.12.202.in-addr.arpaDescr: in-addr.arpa zone for 28.12.202.in-addr.arpaadmin-c: NO4-APtech-c: AIC1-APzone-c: NO4-APnserver: cumin.apnic.netnserver: tinnie.apnic.netnserver: tinnie.arin.netmnt-by: MAINT-APNIC-APmnt-lower: MAINT-AP-DNSchanged: inaddr@apnic.net 20021023changed: inaddr@apnic.net 20040109changed: hm-changed@apnic.net 20091007changed: hm-changed@apnic.net 20111208source: APNIC

Reverse Zone

Contacts

Nameservers

Maintainers

18

8/25/20

10

19 v1.1

Reverse DNS in IPv6

net org com arpa

Root .

ip6

Ipv6 addresses

IPv6 Prefix: 2001:DB8::/64FQDN: 0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.

Follow the nibble boundaries for each node.

3152

19

20 v1.1

What is the FQDN of 2001:dd8:8:701::10?

Reverse DNS in IPv6

dig -x 2001:dd8:8:701::10

; DiG 9.14.10 -x 2001:dd8:8:701::10;; global options: +cmd;; Got answer:;; ->>HEADER

8/25/20

11

21 v1.1

• Reverse nibble format for the zone.• Use $ORIGIN to keep the actual lines with the PTR value simple.

Reverse DNS in IPv6

REVERSE ZONE for 2001:DB8::/64

; 2001:DB8::/124$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.

1 PTR r1.core0.example.net.2 PTR r2.core0.example.net.3 PTR r3.core0.example.net.4 PTR r4.core0.example.net.5 PTR r5.core0.example.net.

; 2001:DB8::0010/124$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1 PTR sw1.core0.example.net.2 PTR sw2.core0.example.net.3 PTR sw3.core0.example.net.4 PTR sw4.core0.example.net.5 PTR sw5.core0.example.net.

21

22 v1.1

• Most commonly using /48 or /64 per zone

Reverse DNS in IPv6

REVERSE ZONE for 2001:DB8:1:/48

; 2001:DB8:1:0::/64$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.

1 PTR host1.zone1.example.net.2 PTR host2.zone1.example.net.3 PTR host3.zone1.example.net.4 PTR host4.zone1.example.net.5 PTR host5.zone1.example.net.

; 2001:DB8:1:1::/64$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa.1 PTR host1.zone2.example.net.2 PTR host2.zone2.example.net.3 PTR host3.zone2.example.net.4 PTR host4.zone2.example.net.5 PTR host5.zone2.example.net.

2001:DB8:0001:0000::/64

2001:DB8:0001:0001::/64

22

8/25/20

12

23 v1.1

• Follows the Internet addressing structure

• Delegate using nibble or 4-bit boundarieso /32 and /48 reverse zones o If allocated a /32, register a /32 reverse zone.

Reverse Delegation in IPv6

23

24 v1.1

Star Networks (an ISP) has been allocated 2406:6400::/32 IPv6 address block.

Reverse DNS in IPv6 - Example

REVERSE ZONE for 2406:6400::/32

$ORIGIN 0.0.4.6.6.0.4.2.ip6.arpa.

; INFRASTRUCTURE 2406:6400::/48 0.0.0.0 NS ns1.star.net.0.0.0.0 NS ns2.star.net.

; Customer P2P links 2406:6400:1:/48 1.0.0.0 NS ns1.star.net.1.0.0.0 NS ns2.star.net.

; Customer 1 2406:6400:2::/48 2.0.0.0 NS ns1.customer1.net.2.0.0.0 NS ns2.customer1.net.

; Customer 2 2406:6400:3::/48 3.0.0.0 NS ns1.customer2.net.3.0.0.0 NS ns2.customer2.net.

; Customer 3 2406:6400:4::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.

; Customer 4 2406:6400:5::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.

; Customer 5 2406:640062::/48 3.0.0.0 NS ns1.customer3.net.3.0.0.0 NS ns2.customer3.net.

Delegate customer blocks

24

8/25/20

13

25 v1.1

• Infrastructure Reverse Zone

Reverse DNS in IPv6 – Example

REVERSE ZONE for 2406:6400::/48

; Loopback addresses$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR r1-lo0.pop1.star.net.2 PTR r2-1o0.pop1.star.net.3 PTR r3-1o0.pop1.star.net.4 PTR r4-1o0.pop1.star.net.

; P2P links$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.0.0.0.0.0.0.4.6.6.0.4.2.ip6.arpa.1 PTR ge0-1.cr1.example.net.2 PTR ge0-0.br1.example.net.

25

26 v1.1

• Also Read RFC8501

Reverse DNS in IPv6

8501

26

8/25/20

14

27 v1.1

Thank You!END OF SESSIONThank You!

END OF SESSION

27

28 v1.1

• Any questions?

Please remember to fill out the feedback form

Slide handouts will be available after completing the survey

28

8/25/20

15

29 v1.1

• APNIC Helpdesk Chat

29