Reverse DNS and PTR Records

## Reverse DNS and PTR Records Standard DNS translates hostnames to IP addresses (forward DNS). Reverse DNS does the opposite: it maps an IP address back to a hostname. The record type used for this mapping is a **PTR record** (Pointer record). ## Why Reverse DNS Matters Reverse DNS is invisible to most users but critical in several scenarios: **Email deliverability.** Mail servers use reverse DNS to validate that the IP address sending mail has a matching PTR record. A mail server at `203.0.113.10` should have a PTR record resolving to `mail.example.com`, and `mail.example.com` should have an A record pointing back to `203.0.113.10`. This forward-confirmed reverse DNS (FCrDNS) is checked by spam filters — servers without it see higher spam scores or outright rejection. **Security and logging.** Network logs, firewall logs, and intrusion detection systems that reverse-resolve IP addresses are far easier to read with hostnames instead of bare IPs. `mail.example.com` is immediately meaningful; `203.0.113.10` requires manual lookup. **Abuse identification.** When investigating suspicious traffic, reverse DNS quickly reveals the organization and hostname associated with an IP, speeding up incident response. ## How Reverse DNS Works The DNS system stores reverse DNS records in special zones under `in-addr.arpa` (for IPv4) and `ip6.arpa` (for IPv6). The IP address is reversed and appended to this suffix. For the IP address `203.0.113.10`: 1. Reverse the octets: `10.113.0.203` 2. Append `in-addr.arpa`: `10.113.0.203.in-addr.arpa` 3. A PTR record at this address returns the hostname ``` 10.113.0.203.in-addr.arpa. 3600 IN PTR mail.example.com. ``` For IPv6 address `2001:db8::1`: 1. Expand to full notation: `2001:0db8:0000:0000:0000:0000:0000:0001` 2. Reverse nibble by nibble: `1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2` 3. Append `.ip6.arpa` 4. PTR record at that address returns the hostname ## Who Controls Reverse DNS? This is the most important — and most misunderstood — aspect of PTR records. **You cannot set PTR records yourself through your regular DNS provider.** PTR records are controlled by whoever *owns the IP address block*. - If your server is on a VPS (DigitalOcean, Linode, Vultr, AWS, etc.), the cloud provider controls the `/24` block. You configure PTR records through their control panel. - If you have a dedicated server with an ISP, the ISP controls the IP block. You request PTR records via their support portal or customer portal. - If your organization has its own IP block (an ISP or large enterprise with ARIN/RIPE/APNIC allocation), your organization controls the reverse zone and can delegate it. ## Setting PTR Records on Common Cloud Providers **DigitalOcean:** Set the hostname of your Droplet to the FQDN you want (e.g. `mail.example.com`). DigitalOcean automatically creates a PTR record matching the Droplet hostname. **Linode/Akamai Cloud:** In the Linode dashboard, go to Linodes > [Your Linode] > Network > Reverse DNS. Enter the FQDN and submit. **AWS EC2:** Elastic IP addresses can have reverse DNS set by submitting a form in the AWS console (EC2 > Elastic IPs > Actions > Update Reverse DNS). AWS must approve and forward the request. **Vultr:** In the control panel, go to your instance > Settings > IPv4. Enter the reverse DNS hostname next to your IP. **Hetzner:** In the Hetzner Cloud console, select your server > Networking > Primary IP > Edit Reverse DNS. ## Verifying Reverse DNS ```bash # Forward lookup dig mail.example.com A # Reverse lookup dig -x 203.0.113.10 # Or using host command host 203.0.113.10 ``` A successful reverse lookup returns: ``` 10.113.0.203.in-addr.arpa domain name pointer mail.example.com. ``` Forward-confirmed reverse DNS (FCrDNS) requires that: 1. `PTR` for `203.0.113.10` → `mail.example.com` 2. `A` for `mail.example.com` → `203.0.113.10` Both must match. If the PTR hostname points to a different IP, FCrDNS validation fails. ## Reverse DNS for Email Servers For a mail server, the PTR record should match your mail server's hostname — ideally the same hostname used in the SMTP `HELO`/`EHLO` greeting. A properly configured email server at `203.0.113.10`: ``` ; Forward DNS mail.example.com. A 203.0.113.10 ; Reverse DNS (configured at cloud provider) 10.113.0.203.in-addr.arpa. PTR mail.example.com. ; MX record pointing to the mail server example.com. MX 10 mail.example.com. ``` All three records are consistent and cross-reference each other. ## Delegated Reverse Zones If your organization controls a large enough IP block (at least a `/24`), your ISP or RIR can delegate the reverse zone to your own nameservers. You then manage PTR records like any other DNS zone. For a `/24` like `203.0.113.0/24`: ``` ; Delegated to your nameservers 113.0.203.in-addr.arpa. NS ns1.example.com. 113.0.203.in-addr.arpa. NS ns2.example.com. ``` Smaller blocks (e.g. `/28`) use a RFC 2317 classless delegation via CNAME. ## Next Steps - MX Records: Setting Up Email for Your Domain — configure MX records alongside PTR for complete email DNS - DNS Troubleshooting Guide — diagnose PTR record and FCrDNS failures - Setting Up DNS for Your Domain — complete DNS configuration reference