Configuring Reverse DNS in BIND 9

Reverse DNS is the process of using DNS to translate IP addresses to hostnames. Reverse DNS is the opposite of Forward DNS, which is used to translate hostnames to IP addresses.

One way to see reverse DNS at work is to use nslookup a tool on most OS’s.

Let’s use `nslookup` to do a forward and reverse DNS lookup on redhat.com:

##FORWARD LOOKUP

[phil@ns1 ~]$ nslookup redhat.com
Server:         206.71.175.XX
Address:        206.71.175.XX#53
 
Non-authoritative answer:
Name:   redhat.com
Address: 209.132.177.50

##REVERSE LOOKUP

[phil@ns1 ~]$ nslookup 209.132.177.50
Server:         206.71.175.XX
Address:        206.71.175.XX#53
 
Non-authoritative answer:
50.177.132.209.in-addr.arpa     name = www.redhat.com.
 
Authoritative answers can be found from:
177.132.209.in-addr.arpa        nameserver = ns3.redhat.com.
177.132.209.in-addr.arpa        nameserver = ns2.redhat.com.
177.132.209.in-addr.arpa        nameserver = ns1.redhat.com.

Reverse DNS is setup by configuring PTR records (Pointer Records) on your DNS server.

This is in different to Forward DNS, which are configured with A records (Address Records).

Typically you or a DNS provider is in charge of Forward DNS. In the case of Reverse DNS most likely your ISP supplying your IP information will have responsibility. You would simply send them what Hostname resolves to what IP, and they would setup the PTR records. You can setup Reverse DNS on your own name servers if you choose which we will cover in this article.

Your ISP or hosting provider may delegate your own range of IP addresses, or you may have NAT setup for Private IP space you control, in this case you must configure Reverse DNS thru PTR records on your DNS server.

A lot of Systems Administrators configure Forward DNS but not Reverse DNS. In most cases when you do this things will work fine, however some applications require doing Reverse DNS lookups in which case you could run into latency issues and a whole slew of other issues.

Common applications and protocols such as IRC, SMTP, Backup utilities, and Databases sometimes use Reverse DNS.

It is best practice to configure Reverse DNS from the get go, to avoid troubleshooting headaches.

Below is a quick example how-to.

Say you NAT Private IP’s in your network 192.168.0.1-192.168.0.255

STEP 1 create a zone file and place it where you store your zone files named

0.168.192.in-addr.arpa

(Notate your address space backwards missing last octect with .in-addr.arpa appended)

Your zone file will look like this: (between ##)

#######
 
@       IN      SOA     ns1.yournameserver.com. root.domain.com.     (
2007040301      ;serial
14400                 ;refresh
3600                   ;retry
604800              ;expire
10800                ;minimum
)
 
0.168.192.in-addr.arpa.                IN      NS      ns1.yournameserver.com.
0.168.192.in-addr.arpa.                IN      NS      ns2.yournameserver.com.
 
2               IN      PTR     blah1.domain.com.
3               IN      PTR     blah2.domain.com.
4               IN      PTR     blah3.domain.com.
5               IN      PTR     blah4.domain.com.
6               IN      PTR     blah5.domain.com.
 
########

The example zone file above stipulates the below:

192.168.0.2 blah1.domain.com
192.168.0.3 blah2.domain.com
192.168.0.4 blah3.domain.com
192.168.0.5 blah4.domain.com
192.168.0.6 blah5.domain.com

The number 2-6 are the last octect of 192.168.0. and PTR is the pointer.

STEP 2 Enter the zone into your named.conf or named.boot as you would a regular zone.

This would go into your Master DNS server or Primary DNS server

zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.in-addr.arpa";
allow-update { none; };
};

This would go into your Slave DNS server or Secondary DNS server

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "0.168.192.in-addr.arpa";
masters { whateveryourmasteripis; };
};

STEP 3

Wholla if configured right you should be up and running. Make sure to tail your log file when you restart DNS for any errors in syntax.

15 Responses to “Configuring Reverse DNS in BIND 9”

  1. gj says:

    thanks this was very helpful. i hope i understand right since i made a slave to lookup using my isp’s reverse record as the master. i am presuming the isp is still the authoratative owner for the reverse record but mine only showed as NON-authoratative with dig until i added this

  2. Phil Chen says:

    Hi gj,

    I don’t use my data center ISP for DNS, though they still provide the authoritive for the outside world in regards to reverse lookups on my IP space. I brought up my own DNS servers and adjusted my servers resolv.conf files to point to them instead of the ISP so all my apps rely on my own DNS servers to facilitate both forward and reverse lookups. So essentially I do not use the ISP as a master and I as the slave but have my servers application using my own DNS for lookups. I am not concerned with reverse lookups from the outside world but more with my own applications doing lookups. Though I do keep my ISP informed of what the reverse lookups should be.

    I did this because my ISP screwed up reverse DNS one time and took 5 hours to fix it, something I could have fixed in possibly minutes. During this time my application specifically caused by a database that had reverse lookups on went haywire, I since turned off the DB reverse lookup setting and pointed all my servers to my own DNS servers.

  3. irado says:

    I did exactly what you suggested but it shows error and I am unable to remove it :( note:

    Sep 28 14:28:14 mercurio named[70000]: zone 224.54.201.in-addr.arpa/IN: loading from master file master/stemme.com.br.rev failed: empty label

    obviously, the reverse is not as I expected:

    root@someone/var/named/etc/namedb/master# : host 201.54.224.xxx
    Host xxx.224.54.201.in-addr.arpa not found: 2(SERVFAIL)

    I redone the DNS server 1.000+ times, no results at all :(

    any hint?

    TIA

  4. Phil Chen says:

    Make sure your fully qualified domains are not missing trailing . at the end. Also look for .. with no characters in between you should have at least one octet. Maybe you can post the zone file and named.conf entry.

    P

  5. Punta says:

    Clear, concise & usefull ! Thanks.

  6. […] defines forward name resolution, e.g. pokeroconnor.com to octal IP addresses (123.20.33.122). Reverse zone files then do the opposite (basically), providing octal -> name […]

  7. Ravi says:

    i set up reverse dns as explained by you, but reverse dns is still not working. i get followng error
    ** server can’t find xx.xx.xx.xx.in-addr.arpa: NXDOMAIN
    while doing nslookup xx.xx.xx.xx

  8. Krishnadas says:

    Very useful and simple….
    Thanks

  9. sadotmd says:

    Right at the time!
    Thanks

  10. Suranga says:

    thanks, this has really helpful for me.

  11. herbalife says:

    Hi.
    Is it mandatory to configure the reverse zone for the slave/secondary ?
    Right now I have set up ns1 primary on my IP and ns2 to point to the bind of another friend IP, but he has no record for the reverse zone like you specified. What happens then?

    Thanks.

  12. cr0security says:

    Thanks a lot, i need it to configure my server. thanks for writing this once more.

  13. […] via Configuring Reverse DNS in BIND 9 | Phil Chen. […]

Leave a Reply