Should AAAA result match IPv6 Reverse DNS queries?
October 30, 2018 1:05 PM Subscribe
Do any major domains (or just plain any) return the Fully Qualified Domain Name (that one might reasonably expect) when issuing
I recently decided to get my IPv6 act together and asked my ISP to issue reverse DNS records for two of my machines.
For comparison, I decided to check how the professionals do it and so I issued
Even more surprising to me were the results of doing reverse lookups on the IPv6 addresses that returned as answers to those queries. None of them appear to map back to the FQDN used in the original query!
For example, "dig AAAA google.com" yields "2607:f8b0:4005:808::200e" but "dig -x 2607:f8b0:4005:808::200e" yields "sfo03s07-in-x0e.1e100.net."
I'm not a networking expert but I thought I understood DNS and IPv6 well enough that… well, clearly I don't understand it well enough and, so, I'm asking this question.
dig -x IPv6_addresswhere "IPv6_address" is the answer provided to a command line query like
dig AAAA Fully_Qualified_Domain_Name?
I recently decided to get my IPv6 act together and asked my ISP to issue reverse DNS records for two of my machines.
For comparison, I decided to check how the professionals do it and so I issued
dig AAAA facebook.comand was quite surprised by most of the results.
dig AAAA apple.com
dig AAAA amazon.com
dig AAAA netflix.com
dig AAAA google.com
Even more surprising to me were the results of doing reverse lookups on the IPv6 addresses that returned as answers to those queries. None of them appear to map back to the FQDN used in the original query!
For example, "dig AAAA google.com" yields "2607:f8b0:4005:808::200e" but "dig -x 2607:f8b0:4005:808::200e" yields "sfo03s07-in-x0e.1e100.net."
I'm not a networking expert but I thought I understood DNS and IPv6 well enough that… well, clearly I don't understand it well enough and, so, I'm asking this question.
Best answer: "google.com" is not a single server with a single IP address. It's a whole bunch of servers with a whole bunch of IP addresses, spread out all over the world.
When you do a lookup of "google.com", it tries to figure out where you are located, and returns the IP address of one of the servers that is closest to you, so that your interactions with google.com will go quicker.
In some instances, though, servers on the Internet do need to have a single, fixed IP address. DNS servers, for instance. If you do a lookup of one of Google's main DNS servers, you will find that the forward and reverse lookups refer to the same system:
When you do a lookup of "google.com", it tries to figure out where you are located, and returns the IP address of one of the servers that is closest to you, so that your interactions with google.com will go quicker.
In some instances, though, servers on the Internet do need to have a single, fixed IP address. DNS servers, for instance. If you do a lookup of one of Google's main DNS servers, you will find that the forward and reverse lookups refer to the same system:
$ host -t aaaa ns1.google.composted by 1970s Antihero at 1:38 PM on October 30, 2018
ns1.google.com has IPv6 address 2001:4860:4802:32::a
$ host 2001:4860:4802:32::a
a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.3.0.0.2.0.8.4.0.6.8.4.1.0.0.2.ip6.arpa domain name pointer ns1.google.com.
Best answer: This isn't even true for IPv4 A records, so I wouldn't expect IPv6 to be any different, really.
posted by zsazsa at 1:52 PM on October 30, 2018
$ host -t a google.com google.com has address 172.217.12.14 $ host 172.217.12.14 14.12.217.172.in-addr.arpa domain name pointer den02s02-in-f14.1e100.net.There are only a few circumstances where you'd expect A/AAAA and PTR records to actually match, and that's for servers that send mail out with SMTP. For example, here's the last SMTP server that sent mail to my personal email address:
$ host -t a mail-qk1-f169.google.com mail-qk1-f169.google.com has address 209.85.222.169 $ host 209.85.222.169 169.222.85.209.in-addr.arpa domain name pointer mail-qk1-f169.google.com.
posted by zsazsa at 1:52 PM on October 30, 2018
Best answer: The web is largely served by CDN's, and due to the way things have evolved, as noted by previous posters, it isn't really viable to have this sort of mapping for many web-serving hosts. A PTR should only be mapped to a single A/AAAA, so devices like shared webservers or load balancers are problematic.
There's also a whole generation or two of administrators who found dealing with IN-ADDR.ARPA to be frustrating, sometimes impossible, inscrutable, heard about "security issues," etc., or my longtime favorite, were just plain old lazy, and since very few things really require matching forward and reverse DNS, large swaths of the Internet do not carry meaningful matching mappings, or only carry machine-generated generic ones.
Any IP that has a specific purpose can and probably should have matching forward and reverse DNS. Some of us actually still make that effort.
If you return a PTR for a given IP address, when you perform a forward lookup on that response, it should list that IP address in the results. This is required where DNS validation is used, and is really something you should always do.
posted by jgreco at 3:15 PM on October 30, 2018
There's also a whole generation or two of administrators who found dealing with IN-ADDR.ARPA to be frustrating, sometimes impossible, inscrutable, heard about "security issues," etc., or my longtime favorite, were just plain old lazy, and since very few things really require matching forward and reverse DNS, large swaths of the Internet do not carry meaningful matching mappings, or only carry machine-generated generic ones.
Any IP that has a specific purpose can and probably should have matching forward and reverse DNS. Some of us actually still make that effort.
If you return a PTR for a given IP address, when you perform a forward lookup on that response, it should list that IP address in the results. This is required where DNS validation is used, and is really something you should always do.
posted by jgreco at 3:15 PM on October 30, 2018
Response by poster: You all have provided so many amazing answers to my question. All of these answers are incredible. I want to mark them all as best because, in actually, all of you ARE THE BEST (but I'm going to respect the spirit/letter of "the best" this time).
zsazsa hits squarely on the reason I'm setting up PTR records on IPv6 (i.e. SMTP server) which is forecast by 1970s Antihero's comment
Who knew 1e100.net had it's own Google Help FAQ entry? BungaDunga, that's who.
I also really appreciate the detail kindall provided on my arbitrarily singling out Google's IPv6 reverse DNS details.
posted by mistersquid at 4:35 PM on October 30, 2018
zsazsa hits squarely on the reason I'm setting up PTR records on IPv6 (i.e. SMTP server) which is forecast by 1970s Antihero's comment
In some instances, though, servers on the Internet do need to have a single, fixed IP address. DNS servers, for instance"and reflected by jgreco's comment that
Any IP that has a specific purpose can and probably should have matching forward and reverse DNS.I also am taking under advisement jgreco's suggestion that DNS validation "is really something you should always do".
Who knew 1e100.net had it's own Google Help FAQ entry? BungaDunga, that's who.
I also really appreciate the detail kindall provided on my arbitrarily singling out Google's IPv6 reverse DNS details.
posted by mistersquid at 4:35 PM on October 30, 2018
Response by poster: I changed my mind. These are all the best.
posted by mistersquid at 4:41 PM on October 30, 2018 [1 favorite]
posted by mistersquid at 4:41 PM on October 30, 2018 [1 favorite]
Most large websites don't have rDNS that resolves to the name you'd expect even when there isn't any sharing of resources between services. Google has been using 1e100 in IPv4 rDNS since very nearly the beginning.
Their mail servers, along with nearly everyone else's, on the other hand, reverse resolve "correctly" since so many anti spam tools care.
posted by wierdo at 7:29 PM on October 30, 2018
Their mail servers, along with nearly everyone else's, on the other hand, reverse resolve "correctly" since so many anti spam tools care.
posted by wierdo at 7:29 PM on October 30, 2018
jgreco: A PTR should only be mapped to a single A/AAAA
[citation needed]
As far as I understand DNS, there's no limit on the number of PTR records a given IP address can have.
Any IP that has a specific purpose can and probably should have matching forward and reverse DNS. Some of us actually still make that effort.
Google does make that effort:
[citation needed]
As far as I understand DNS, there's no limit on the number of PTR records a given IP address can have.
Any IP that has a specific purpose can and probably should have matching forward and reverse DNS. Some of us actually still make that effort.
Google does make that effort:
[romer@toast ~]$ dig +short -x 216.58.195.78posted by hanov3r at 2:01 PM on November 1, 2018
sfo07s16-in-f78.1e100.net.
sfo07s16-in-f14.1e100.net.
[romer@toast ~]$ dig +short A sfo07s16-in-f78.1e100.net
216.58.195.78
[romer@toast ~]$ dig +short A sfo07s16-in-f14.1e100.net
216.58.195.78
« Older Recommendations and Tips for Angkor Wat/Krong Siem... | Elderly care for bipolar parent Newer »
This thread is closed to new comments.
HostHTTP header, any number of Web sites can be hosted on a server, each with their own domain name. Therefore, there is no way to map an IP address back to a single FQDN. The FQDN you're getting back from reverse queries is generally most useful to the owning organization who needs a huge number of unique names for its numerous servers. For example,1e100.netis Google's (hence the1e100, which is scientific notation for a a googol) network. The hostname begins withsfowhich is a hint it's probably physically located in San Francisco. The rest of it has meaning to Google's network engineers, no doubt, further nailing down what data center it's in, for example, and other characteristics such as what virtual machine in what blade in what server in what rack. The fact that you get this machine's IP address when doing a forward query forgoogle.commeans that it will serve up Google's search services, but it doesn't tell you what else is on that box.posted by kindall at 1:24 PM on October 30, 2018