Showing posts with label Reverse DNS. Show all posts
Showing posts with label Reverse DNS. Show all posts

Thursday, November 26, 2020

How does Reverse DNS work behind the scene - a layman explanation

Ever wonder what actually happen behind the scene when you do a reverse DNS query?

It is quick and it return a value.

 $ time dig -x 8.8.8.8 +short  
 dns.google.  
 real     0m0.019s  
 user     0m0.005s  
 sys     0m0.005s

In this article, I will explain to you want happen behind the scene.

when the query pass to your resolver, what your resolver does, when you ask it for the ptr (which is 8.8.8.8.in-addr.arpa )

 $ dig ptr 8.8.8.8.in-addr.arpa @a.root-servers.net  

which will tell them: "I don't know about in-addr.arpa - you need to ask the in-addr.arpa server" which correspond to

 ;; AUTHORITY SECTION:  
 in-addr.arpa.          172800     IN     NS     a.in-addr-servers.arpa.  
 in-addr.arpa.          172800     IN     NS     b.in-addr-servers.arpa.  
 in-addr.arpa.          172800     IN     NS     c.in-addr-servers.arpa.  
 in-addr.arpa.          172800     IN     NS     d.in-addr-servers.arpa.  
 in-addr.arpa.          172800     IN     NS     e.in-addr-servers.arpa.  
 in-addr.arpa.          172800     IN     NS     f.in-addr-servers.arpa.  

then the resolver asks one or more of them:


dig ns 8.8.8.8.in-addr.arpa @a.in-addr-servers.arpa

again, it will get delegated to the next servers, which handle "8.in-addr.arpa"


8.in-addr.arpa.		86400	IN	NS	arin.authdns.ripe.net.
8.in-addr.arpa.		86400	IN	NS	z.arin.net.
8.in-addr.arpa.		86400	IN	NS	y.arin.net.
8.in-addr.arpa.		86400	IN	NS	r.arin.net.
8.in-addr.arpa.		86400	IN	NS	x.arin.net.
8.in-addr.arpa.		86400	IN	NS	u.arin.net.

the game continues:


dig ns 8.8.8.8.in-addr.arpa @z.arin.net

"you gotta ask level 3, they know about 8.8.in-addr.arpa"


8.8.in-addr.arpa.	86400	IN	NS	ns1.level3.net.
8.8.in-addr.arpa.	86400	IN	NS	ns2.level3.net.

and the final delegation from level 3 is to the google nameservers:


dig ns 8.8.8.8.in-addr.arpa @ns1.level3.net

[...]

;; AUTHORITY SECTION:
8.8.8.in-addr.arpa.	3600	IN	NS	ns4.google.com.
8.8.8.in-addr.arpa.	3600	IN	NS	ns2.google.com.
8.8.8.in-addr.arpa.	3600	IN	NS	ns3.google.com.
8.8.8.in-addr.arpa.	3600	IN	NS	ns1.google.com.

and only from them will you get the final anser for 8.8.8.8:

 dig PTR 8.8.8.8.in-addr.arpa @ns1.google.com  
 ; <<>> DiG 9.10.6 <<>> PTR 8.8.8.8.in-addr.arpa @ns1.google.com  
 ;; global options: +cmd  
 ;; Got answer:  
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20871  
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  
 ;; WARNING: recursion requested but not available  
 ;; OPT PSEUDOSECTION:  
 ; EDNS: version: 0, flags:; udp: 512  
 ;; QUESTION SECTION:  
 ;8.8.8.8.in-addr.arpa.          IN     PTR  
 ;; ANSWER SECTION:  
 8.8.8.8.in-addr.arpa.     86400     IN     PTR     dns.google.  
 ;; Query time: 132 msec  
 ;; SERVER: 2001:4860:4802:32::a#53(2001:4860:4802:32::a)  
 ;; WHEN: Thu Nov 26 10:53:58 CET 2020  
 ;; MSG SIZE rcvd: 73  

That's it!