Reverse DNS: Difference between revisions
imported>David MacQuigg (Add example) |
imported>David MacQuigg (many revisions) |
||
| Line 1: | Line 1: | ||
{{subpages}}{{TOC|right}} | {{subpages}}{{TOC|right}} | ||
On the [[Internet]], reverse DNS lookup or reverse DNS | On the [[Internet]], reverse DNS lookup or reverse DNS mapping (rDNS) is using the [[Domain Name System|Domain Name System (DNS)]] to look up a name that is associated with a given [[IP address]]. | ||
With normal, or forward DNS, a domain name is used to look up information associated with that domain, including the | With normal, or forward DNS, a domain name is used to look up information associated with that domain, including the IP addresses of its nameservers, webservers, and mailservers, and any general text information the domain owner would like to publish, including [[Email authentication|authentication records]] for the domain's [[Email system|mail transmitters]]. With reverse DNS, an IP address is used to look up a name associated with that address. | ||
Information in forward DNS is under the control of the domain owner. Information in reverse DNS is under the control of the network owner, or at least the lowest owner to which authority over a block of addresses has been delegated. | Information in forward DNS is under the control of the domain owner. Information in reverse DNS is under the control of the network owner, or at least the lowest owner to which authority over a block of addresses has been delegated. | ||
In general, reverse DNS is not as reliable as forward DNS. This is due to the communication barriers between owners of small domains and owners of large networks, and the lack of incentive for network owners to keep reverse DNS records up to date. Often they simply run a script which assigns numerical names in sequence to each address in their allocation. These automated names have no connection with the actual use of the address. | In general, reverse DNS is not as reliable as forward DNS. This is due to the communication barriers between owners of small domains and owners of large networks, and the lack of incentive for network owners to keep reverse DNS records up to date. Often they simply run a script which assigns numerical names in sequence to each address in their allocation. These automated names have no connection with the actual use of the address. | ||
Another factor making reverse DNS problematic is the trend to [[Virtual Private Server]]s - using one machine and IP address to host many unrelated domains. While it is possible to publish multiple names for one IP address, the resulting uncertainty can frustrate an authentication method relying on reverse DNS. | |||
== Examples == | == Examples == | ||
| Line 12: | Line 14: | ||
Reverse DNS provides a quick, but not very reliable method to verify the domain responsible for transmitting an email. See [[Email authentication]] for more discussion. Here are the steps:<br /> | Reverse DNS provides a quick, but not very reliable method to verify the domain responsible for transmitting an email. See [[Email authentication]] for more discussion. Here are the steps:<br /> | ||
1) The receiver gets a [[TCP]] connection request from a transmitter at [[IP address]] '''98.136.44.63.''' Request granted.<br /> | 1) The receiver gets a [[TCP]] connection request from a transmitter at [[IP address]] '''98.136.44.63.''' Request granted.<br /> | ||
2 | 2) The receiver does a reverse DNS query on the IP address.<br /> | ||
$ dig ptr 63.44.136.98.in-addr.arpa | $ dig ptr 63.44.136.98.in-addr.arpa | ||
... | ... | ||
| Line 19: | Line 20: | ||
63.44.136.98.in-addr.arpa. 1200 IN PTR smtp108.prem.mail.sp1.yahoo.com. | 63.44.136.98.in-addr.arpa. 1200 IN PTR smtp108.prem.mail.sp1.yahoo.com. | ||
... | ... | ||
3) The receiver does a normal DNS query on the resulting "IPname".<br /> | |||
$ dig a smtp108.prem.mail.sp1.yahoo.com | $ dig a smtp108.prem.mail.sp1.yahoo.com | ||
... | ... | ||
| Line 26: | Line 27: | ||
... | ... | ||
==== Explanatory notes ==== | ==== Explanatory notes ==== | ||
The | The text forms shown here are from a terminal session using the [[BIND]] utility 'dig'. In a real mail receiver, the queries and responses would be packets of binary data. | ||
'''in-addr.arpa''' is the branch of DNS holding all reverse query information. ARPA was the US government agency which started the Internet. The registry in now under the control of [[ICANN]]. | '''in-addr.arpa''' is the branch of DNS holding all reverse query information. ARPA was the US government agency which started the Internet. The registry in now under the control of [[ICANN]]. | ||
'''PTR''' is a "pointer" record in DNS. It "points" an address to a name, the opposite of an A record, which points a name to an address. | '''PTR''' is a "pointer" record in DNS. It "points" an address to a name, the opposite of an A record, which points a name to an address. | ||
The numbers in the ptr query are reversed, because of the way authority is delegated from the largest blocks to smaller blocks of IP addresses. In the query, numbers are just treated as normal characters, so '63' is a subdomain of '44', which is a subdomain of '136', etc. | |||
The third step is essential for authentication. It proves that the network owner and domain owner agree on the association of the domain name with the IP address. Otherwise a crooked domain owner could claim to be yahoo.com by simply publishing a A record with Yahoo's IP address. | |||
Revision as of 10:32, 28 October 2009
On the Internet, reverse DNS lookup or reverse DNS mapping (rDNS) is using the Domain Name System (DNS) to look up a name that is associated with a given IP address.
With normal, or forward DNS, a domain name is used to look up information associated with that domain, including the IP addresses of its nameservers, webservers, and mailservers, and any general text information the domain owner would like to publish, including authentication records for the domain's mail transmitters. With reverse DNS, an IP address is used to look up a name associated with that address.
Information in forward DNS is under the control of the domain owner. Information in reverse DNS is under the control of the network owner, or at least the lowest owner to which authority over a block of addresses has been delegated.
In general, reverse DNS is not as reliable as forward DNS. This is due to the communication barriers between owners of small domains and owners of large networks, and the lack of incentive for network owners to keep reverse DNS records up to date. Often they simply run a script which assigns numerical names in sequence to each address in their allocation. These automated names have no connection with the actual use of the address.
Another factor making reverse DNS problematic is the trend to Virtual Private Servers - using one machine and IP address to host many unrelated domains. While it is possible to publish multiple names for one IP address, the resulting uncertainty can frustrate an authentication method relying on reverse DNS.
Examples
Email authentication
Reverse DNS provides a quick, but not very reliable method to verify the domain responsible for transmitting an email. See Email authentication for more discussion. Here are the steps:
1) The receiver gets a TCP connection request from a transmitter at IP address 98.136.44.63. Request granted.
2) The receiver does a reverse DNS query on the IP address.
$ dig ptr 63.44.136.98.in-addr.arpa ... ;; ANSWER SECTION: 63.44.136.98.in-addr.arpa. 1200 IN PTR smtp108.prem.mail.sp1.yahoo.com. ...
3) The receiver does a normal DNS query on the resulting "IPname".
$ dig a smtp108.prem.mail.sp1.yahoo.com ... ;; ANSWER SECTION: smtp108.prem.mail.sp1.yahoo.com. 1800 IN A 98.136.44.63 ...
Explanatory notes
The text forms shown here are from a terminal session using the BIND utility 'dig'. In a real mail receiver, the queries and responses would be packets of binary data.
in-addr.arpa is the branch of DNS holding all reverse query information. ARPA was the US government agency which started the Internet. The registry in now under the control of ICANN.
PTR is a "pointer" record in DNS. It "points" an address to a name, the opposite of an A record, which points a name to an address.
The numbers in the ptr query are reversed, because of the way authority is delegated from the largest blocks to smaller blocks of IP addresses. In the query, numbers are just treated as normal characters, so '63' is a subdomain of '44', which is a subdomain of '136', etc.
The third step is essential for authentication. It proves that the network owner and domain owner agree on the association of the domain name with the IP address. Otherwise a crooked domain owner could claim to be yahoo.com by simply publishing a A record with Yahoo's IP address.