Reverse Resolution

DNS resolution is most used to translate names into IP addresses, but it can also be used in other ways. Reverse resolution, for instance, is used to translate IP addresses into names.

Why should we configure reverse resolution?

Also known as reverse lookup, reverse resolution was initially used as a server security mechanism. It was used to compare the results of a reverse lookup to the forward resolution (name to IP address). If the results matched, remote access to the server would be granted.

Currently, certain FTP servers do not allow connections from IP addresses for which reverse resolution has not been configured.

Likewise, some HTTP servers (web servers) are configured to perform reverse resolution when a device initiates a connection. This information is logged for future processing or for statistical purposes. In these cases when the IP address of the device has no reverse resolution information, the connection will be delayed because of the time it takes to attempt the reverse resolution.

In addition, it is increasingly common to find email servers configured to perform reverse resolution as part of the procedure for monitoring spam and the presence of viruses.

It also acts as a traceroute, tracing the path between two points on the Internet. This tool shows the intermediate points between the start and end points. If reverse resolution has been configured for the IP addresses, the name of each of these points will be displayed. This helps identify intermediary networks and pinpoint potential problem spots.

LACNIC recommends configuring reverse resolution for the IP blocks for which your organization is responsible. Special domain names have been created for reverse resolution: for IPv4 blocks and for IPv6 blocks.

To insert the IP address within the DNS name hierarchy, a name must be created to represent the address within this structure.

Under the DNS name hierarchy, the leftmost portions of a domain name are the most specific, while the rightmost portions are the least specific. In the case of IP addresses, however, the opposite is true: the most specific portions are located to the right.

This requires reversing each part of the IP address and then adding the domain name reserved for reverse resolution ( or

For example, consider the IPv4 address Converting this address to the necessary format requires reversing each byte (1 byte equals 8 bits) and adding the reverse resolution domain at the end:

Note that reverse DNS delegation of IPv4 addresses must respect the byte boundaries for each part of the IP address. In other words, it is possible to perform reverse DNS lookups on the first byte, which represents a /8 block; on the second byte, which represents a /16 block; or on the third byte, which represents a /24 block.

This is why only /24 or /16 block delegations are registered in LACNIC's DNS servers. Organizations receiving IP address blocks with prefixes from a /24 to a /17 can perform the DNS delegation of each /24 block contained in the block they were assigned, directly on LACNIC's server.

Likewise, an organization receiving blocks with a /16 or shorter prefix may only delegate the /16 blocks contained in their assigned prefix.

The /24 blocks contained in each /16 must be delegated in the organization's own DNS server.

A similar restriction applies in the case of IPv6 addresses. Each 4-bit data nibble (representing half of a data byte) of an IPv6 address can be delegated.

Supposing that a /32 is received, this address range may only be delegated in its entirety. If a /33 is received the entire /33, or longer prefixes up to a /36 contained within the /33, may be delegated.