Public DNS PTR Records

So I never really thought about it, but in order to set up PTR records for public IP(s), you would need supply your ISP with NS records similar to how you set up glue records with your domain registrar.

For technical details, see: /29 classless reverse delegation BIND | System/Network daily engineering by Simo R

My question is, does anyone actually do this? PTR records are often desired in private DNS, but for public-facing DNS (websites, vpn, etc), does it ever really matter? I suspect there are situations where it would matter, but I can’t think of them specifically.

This was a big TIL for me today. I didn’t really understand how classless PTR syntax worked, nor did I realize there were multiple options.

named.conf:

zone "0-31.0.168.192.in-addr.arpa" IN {
        type master;
        file "master/192.168.0.0-31.db";
};

BIND understands this zone syntax, as well as if we would have written it as “0/27.0.168.192.in-addr.arpa”.

Yes, for email servers. SMTP servers commonly treat an incoming connection sending an email as an indication (add points to the “spam score”) of a misconfigured/SPAM sender if the A/PTR records do not match, or the PTR record does not match the hostname specified in the EHLO command which identifies the remote server.

Recommendations:

1 Like

Any idea how receptive a major ISP is to configuring this for a small business customer? I’ll try to ask them but I foresee resistance. Probably take 2 hours to get to someone who has any idea what a PTR record even is.

If you have static IPs, they should allow it - because email.

2 Likes

i’ve got public PTR records, but they’re set via my ISP’s DNS who provides a web UI for it (enterprise service) - their NS is authoritative for the IP space/reverse zone, so they live on the ISP DNS.

I set them up like… 10 years ago, and haven’t bothered with other connections through other ISPs i now have.

About the only thing i remember it being useful for was for better spam filtering score back then (for my outbound SMTP). 99.999% of shit simply doesn’t care, and if you have cloud hosted mail these days (or even just use a smart-host or other relay for outbound SMTP) my suggestion would be “don’t even bother”.

It matters much less these days as security/anti-spam/etc. is done via TLS, SPF, DMARC etc. rather than just matching reverse DNS.

How often do you rotate the zsk and ksk keys and do you bother with ds records for the ptr (or do you bother with dnssec at all)?

Good to know.

Never bothered with DNSSEC tbh.

I’ve messed with it, figured out how to set it up, but have been fine without it so far. For anything security critical (firewall rules, etc.), i generally just don’t trust DNS.

TLS handles security anyway? i.e., forged DNS response = the website/service won’t have the proper cert anyway, etc.

1 Like