Forward vs Reverse DNS Lookup Zones: Do You Need Both?
An understanding of network services is required for CompTIA Network+ certification. Some important network functions include DNS services, including Forward and Reverse DNS Lookup Zones. You can use a Forward Lookup Zone to map a domain with its IP address. On the other hand, a Reverse Lookup Zone will map an IP address to its domain records. These may seem simple but are powerful tools to secure your network and to identify where visitors are coming from.
Let's explore the differences between these DNS Lookup Zones and how and when they are used.
Understanding DNS Zones
If you can think of the Domain Name System (DNS) as a library — with indexes, bookshelves, and dictionaries — then DNS Zones are like separate, but connected, wings of a library.
What are DNS Records, and How are They Stored?
DNS Records are simply mappings from a name to either an IP address or a service. There are many types of records, but the most common ones are "A Records" and "CNAMEs." A Records map a name directly to an IP address. CNAME records are an alias record and map one name to another.
Some common examples of DNS records are:
A Records are the most basic type of DNS record. A Records are used to point a domain or subdomain to an IP address.
CNAME records are used to point a domain or subdomain to another hostname.
Mail Exchanger (MX) records are used to help route email. MX records differ from A Records and CNAMEs in that they also require a "priority" value as a part of their entry.
A TXT record is used to store text-based information (e.g., to hold SPF data and verify domain ownership).
How they are stored depends entirely on the DNS software. Microsoft DNS Server is a popular DNS software, particularly for topologies that already have Active Directory. MS DNS servers can store these files as plain text as do most software such as BIND (most popular name server software).
Alternatively, DNS Servers, as part of an AD topology, can store the records in AD. Other software such as PowerDNS has the capability to store these records in SQL. You'll need a sound understanding of DNS for the new CMMC certification.
DNS Zones and Subdomains
DNS Zones encompass all records for a domain. For example, a zone for xzy.com would contain records such as www.xzy.com, an MX record for xzy.com, and possibly other records such as mail.xzy.com.
Subdomains are usually used to break out autonomous children domains to allow administrative control over that subdomain to another managing entity. For example, you may have a hq.xzy.com, where all the headquarter DNS records are under. An example might be server01.hq.xzy.com or server02.hq.xzy.com. Subdomains allow segmentation of DNS zones, usually by administrative function.
DNS Zone Files
A DNS Zone File is a text file that maps domain names and IP addresses. One example of a Zone File is a DNS master file that accurately describes a zone. Text DNS Zone Files are defined by RFCs 1034 and 1035. They are human-readable and editable. There is some variability in them in that some admins prefer to put the entire full records in each line, while some prefer to use shorthand.
These types of differences are also between management software such as the Microsoft DNS GUI and others like Webmin. As long as the zone file works and is easily readable, it is usually best to keep the same formatting as already exists. This will become more apparent further down in the examples.
When are DNS Zones Used
A DNS zone is given administrative responsibility for the domain name space in the DNS. DNS Zones are used any time a domain name wishes to have DNS records. It is not uncommon for organizations to have internal zones that are not publicly accessible and only hosted on internal DNS servers. Active Directory is a prime example of an internal zone that isn't publicly accessible.
There are two types of DNS zones: a forward lookup zone and a reverse lookup zone.
What is a Forward DNS Lookup Zone?
A forward lookup zone typically converts a name to an IP address or another name at some point. The important part, though, is that you start with a name. Eventually, that name gets resolved to an IP address in most cases. This zone contains all the records of domain names to their IP addresses.
When to Use Forward DNS Lookup Zones
You will use a forward lookup zone anytime you have a name that you want to use instead of an IP address. You can create a record for how the name maps to the IP address in a forward lookup zone.
$TTL 86400 ; 24 hours
In the above zone file, we have quite a few lines. The Start of Authority (SOA) defines a few things about the zone. This is metadata, such as who has authority (primary name server and email of admin). It also defines records related to its serial number and how long to cache the records.
Further down, we have NS records that define the name servers hosting this domain. At the very top, we defined an $ORIGIN, which means all records not fully terminated with a trailing period get the $ORIGIN appended to them, such as the "mail" A Record.
What is a Reverse DNS Lookup Zone?
A Reverse Lookup Zone contains all the records of IP addresses to their domain names. It would be too easy to define a reverse lookup as the opposite of forward, but it is true. A reverse lookup zone is used any time you want to convert an IP address to a name.
When to Use Reverse DNS Lookup Zones
Reverse lookup zones should be implemented whenever possible. Implementation may be difficult if the IP addresses are public as you would need either the owner of the IP space to provide reverse lookup services for you or delegate the subnet to you if you have a large enough address space.
Many times having the reverse lookup zones can be helpful to troubleshoot or investigate issues. Spam filters, many of which are in the cloud, may use reverse lookups to help detect business IP addresses versus home user connections. They do this in one of two ways. First, if there is no reverse lookup, they may block it. Second, if the reverse lookup results in specific keywords, they may block it. Keywords that may trigger blocking include words in the name that do not appear to be a business address.
Reverse DNS Lookup Zone Example
The following reverse zone is for 192.168.0.0/24 or 192.168.0.X. It is important to note that the zone name is actually 0.168.192.in-addr.arpa. The IP is reversed in the lookup such that it is easy to put the last octet for the IP address.
$TTL 86400 ; 24 hours @ IN SOA ns1.xzy.local. hostmaster.xzy.local. ( 2020081001 ; serial number 900 ; refresh 600 ; retry 86400 ; expire 3600 ) ; default TTL @ NS ns1.openhospitality.com. @ NS ns2.openhospitality.com. 2 PTR ns1.xzy.local. 3 PTR ns2.xzy.local. 10 PTR mail.xzy.local. 22.214.171.124.in-addr.arpa. PTR www.xzy.local.
This reverse zone has the typical boilerplate records at the top. The meat of this is at the end. You achieve this one of two ways. You can put the last octet as the numerical value or put the entire record name with a trailing period.
Forward and Reverse Records: Related But Not Synchronized
One important fact to understand about forward and reverse lookup records is that they are separate zone files. Combined with that fact, the relationship of forward to reverse is a many to one, while the relationship between reverse to forward is a one to one.
Basically, you can map many different names to a single IP address, and they will resolve correctly. On the other hand, you can only effectively map any given IP address to a singular name. In DNS records, when there are keys with multiple values, DNS uses a functionality called round-robin to randomly return the value.
For example, if you have two reverse records that map 192.168.0.1 to test1.xzy.local and test2.xzy.local, half of the time you do a reverse lookup on 192.168.0.1, it will return test1, and the other half, it will return test2.
All this to say that sometimes the reverse records do not match up perfectly with the forward records, and this is one scenario that describes why.
Forward vs. Reverse DNS Lookup Zones: Do You Need Both?
Typically, when you need DNS services, your first and only thought is converting names to IP addresses via a forward lookup. The reverse lookup is usually an afterthought or something that is not well maintained. It is not required for forward lookups to work, but as mentioned above, some services may rely on it like mail services that query reverse lookup records to determine if the source is a spammer. In other cases, it can be helpful on things like traceroutes to see the name associated with the IP address.