Reverse DNS: Everything You Need to Know

What Is Reverse DNS, or rDNS?

The Domain Name System (DNS) translates human-readable hostnames into IP addresses, a process known as forward DNS resolution. For example, when a user enters www.example.com into a browser, DNS resolves that name to the IP address of the server hosting the site.

Reverse DNS – sometimes called rNDS – performs the opposite function. It determines the hostname associated with a given IP address. This process is known as reverse resolution or reverse DNS delegation and is accomplished using pointer (PTR) records.

Reverse DNS is commonly used by servers and network services to identify the human-readable name associated with an IP address.

How It Works

The rDNS system is rooted under two special domains:

• in-addr.arpa for IPv4
• ip6.arpa for IPv6

Each IP address maps to a PTR record within one of these domains. The PTR record points the IP address back to a hostname. Maintaining accurate PTR records is essential for proper functionality.

ARIN requires organizations to maintain PTR records for their assigned address space to ensure the rDNS system functions reliably.

Why It Matters

Reverse DNS plays an important role in a variety of operational and security-related functions, including:

• Network troubleshooting and diagnostics
• Identifying suspicious or generic hostnames associated with dynamically assigned addresses
• Email spam and phishing detection
• Logging, analytics, and audit trails on web and application servers

Many email servers and security systems rely on properly configured rDNS as part of reputation scoring and traffic validation.

Managing Delegations Through ARIN

ARIN provides delegation management tools that allow organizations to manage reverse DNS for both IPv4 and IPv6 networks.

IPv4 delegations are managed on bit boundaries, such as /8, /16, and /24. IPv6 reverse DNS is managed on nibble boundaries, meaning every four bits of the IPv6 address.

ARIN supports delegations for CIDR-aligned IPv4 blocks of /24 and larger. Delegation sizes are determined by the CIDR blocks that make up an organization’s direct allocation.

Examples of IPv4 rDNS Delegation

If an organization receives a /23 IPv4 block from ARIN, the allocation is composed of two /24 delegations. Each /24 can be delegated to different name servers.

In contrast, an organization holding a /16 allocation would receive a single /16 reverse DNS delegation and manage name servers for that block as a whole.

How to Modify Delegations

Organizations have two primary options for managing delegations:

• ARIN Online: Best suited for managing a small number of delegations
• RESTful Web Service: Designed for organizations managing large numbers of delegations programmatically

To use the RESTful web service, organizations must first obtain an API key through ARIN.

Who Can Manage rDNS?

Both direct and indirect resource holders can manage reverse DNS under certain conditions.

Organizations that receive address space directly from ARIN can manage their own reverse DNS delegations. Organizations receiving address space from an ISP may also manage reverse DNS through shared authority using SWIP records.

If address space is reassigned or reallocated from an ISP’s /16 or larger block without shared authority, DNS management remains with the ISP.

ISPs should promptly remove reassignments and reallocations when customers disconnect to ensure reverse DNS authority is properly revoked.

Securing Reverse DNS with DNSSEC

ARIN supports securing reverse DNS zones using Domain Name System Security Extensions (DNSSEC). DNSSEC protects DNS data by digitally signing records using cryptographic keys.

Once a zone is signed, organizations must submit Delegation Signer (DS) records to ARIN to indicate that DNSSEC is enabled. DS records can be managed through ARIN Online or via the RESTful provisioning system.

DNSSEC helps protect reverse DNS records from tampering and spoofing, improving overall network trust and security.