Resource Management

Resolution Reverse

The most common DNS resolution is the one to translate a domain name to an IP address. But there is also another type of resolution, the one that translate IP addresses to names. And this type of resolution is denominated "inverse resolution".

Among the main advantages of having inverse resolution configured we can highlight the following:

It was used initially as a auxiliary method to secure a server from unauthorized remote access. With this a server receiving a remote connection would check if the direct resolution (name to IP address) match the result of a inverse resolution.

Currently, some FTP servers does not allow connections from IP address with no inverse resolution.

It is also possible to find HTTP servers (web servers), configured to do a inverse resolution every time a new connection is initiated. The information from the inverse resolution would then be stored in log files for statistics purposes. In this case, if a client does not have inverse resolution it could face some delays while DNS servers tries to translate its IP address to a name.

More recently, it is becoming very common to have emails server configured to check for inverse resolution as an intent to decrease the number of spam and virus messages received.

And there is also tools like "traceroute", which are used to troubleshot network problems. This type of tools tries to do inverse resolution when tracing the path between two points in the Internet, to show not only the IP address of intermediate points but also its names. What might help identify possible sources of problems.

Therefore, LACNIC recommends having inverse delegation configured and enabled for those IP blocks it allocates.

For inverse resolution two special domain names were created: in-addr.apra for IPv4 addresses and ip6.arpa for IPv6 addresses.

In order to insert an IP address into the DNS hierarchy it is necessary to create a name that will represent the IP address in that structure.

As previously mentioned, in the domain name hierarchy the leftmost part of a given name is the most specific one. But when dealing with IP addresses this would be the opposite, once the rightmost part of an IP address is the most specific as it indicates the host inside a network.

To solve this a simple procedure to invert the position of IP address components is necessary. And then adds the reserved domain name (in-addr.arpa or ip6.arpa).

For instance and considering the IPv4 address 192.0.2.1. In order to put it in the necessary format, each byte (one byte as a representation of 8 bits) is inverted and the domain name is added and the result would be: 1.2.0.191.in-addr.arpa.

The important information from this is that IPv4 bytes boundaries should be respected when doing inverse DNS delegation. Considering this, it is possible to do inverse delegation for the first byte of an IP block what would represent a /8 IPv4 block. Or the delegation for the second byte what would represent a /16 IPv4 block. And then, a delegation for the third byte what would represent a /24 IPv4 block.

That is why it is only allowed to delegate of blocks with prefix of /16 or /24 in the LACNIC DNS servers.

If an organization receives blocks with prefix from /24 to /17 it will be possible to delegate the inverse for each /24.

In the case of organizations that receives /16 IPv4 blocks or even shorter prefixes (larger blocks), they will only be able to delegate /16s. Any /24 delegation for blocks inside the allocated block should be done inside the organization own DNS server.

In the case of IPv6 blocks there is no such restriction. In the case of IPv6 blocks it is possible to delegate any prefix of 4 bits or its multipliers (8, 12, 16, etc). This due to the way inverse delegation is done for IPv6, which contains 128 bits represented as hexadecimal numbers in 8 sets of 16 bits each.

For instance and considering the IPv6 address 2001:0DB8:0000:0000:0000:0000:0000:0001we would have the following representation when doing its inverse delegation:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa