Reverse DNS lookups in an AWS VPC
How to configure reverse DNS lookups for internal IP addresses in an AWS VPC
The increasing adoption of cloud technology by companies reveals that many are not fully prepared for cloud migration. While this is not necessarily a negative thing, it does indicate the need for certain measures to ensure successful cloud implementation. One such measure is the utilization of reverse DNS lookups.
What is a reverse DNS lookup?
A reverse DNS lookup is the opposite of a normal DNS lookup. Instead of taking a domain name and returning an IP address, a reverse DNS lookup takes an IP address and returns a domain name. This process is valuable for various reasons, with the most common being IP address verification. It is commonly used to validate the authenticity of email sources by confirming they originate from the claimed domain. Additionally, reverse DNS lookups can be used internally to verify the legitimacy of a server.
An example of an application relying on reverse DNS lookups is the PostgreSQL database. PostgreSQL utilizes reverse DNS lookups to authenticate the client's IP address. If the IP address is found to be different than expected, PostgreSQL rejects the connection. This security feature prevents attackers from falsifying the IP address of a client.
How does a reverse DNS lookup work?
To understand reverse DNS lookups, let's perform one to observe the process. We can conduct a reverse DNS lookup on the IP address
188.8.131.52 using the
$ dig -x 184.108.40.206 ;; ANSWER SECTION: 0.81.110.193.in-addr.arpa. 119 IN PTR dns0.eu.
As evident from the output, the reverse DNS lookup returns the domain name
dns0.eu. Notice how the provided IP address is reversed and appended to the
in-addr.arpa domain. This is the standard approach for performing reverse DNS lookups. You can manually construct this by reversing the IP address and prepending it to the domain
in-addr.arpa. For instance, the IP address
220.127.116.11 would become
18.104.22.168.in-addr.arpa. Conducting a DNS lookup on this domain yields the reverse DNS lookup result. The record type used for reverse DNS lookups is
PTR, which stands for pointer. The
PTR record points to the domain name associated with the IP address.
You can perform a manual reverse DNS lookup using the
$ dig 22.214.171.124.in-addr.arpa PTR ;; ANSWER SECTION: 126.96.36.199.in-addr.arpa. 33 IN PTR smtp02.us-west-2.mail-perimeter.amazon.com.
How do I configure reverse DNS lookups in AWS?
AWS provides a service called Route 53, allowing you to configure DNS records for your domain. You can leverage this service to configure reverse DNS lookups for your domain. However, it requires creating an Internal Hosted Zone since the requests in this example are internal to the VPC. Follow these steps to create an Internal Hosted Zone:
- Go to the Route 53 console.
- Click on the "Create Hosted Zone" button.
- Enter the domain name and a comment when prompted. The domain name should include the first two or three octets, depending on the size of the CIDR block you want to create reverse records for. For instance, if you aim to create reverse records for the CIDR block
123.10.in-addr.arpaas the domain name. The comment is optional, but providing one is recommended for easy identification of the Hosted Zone later.
Once the Hosted Zone is created, you need to create a record set for each IP address in the CIDR block. Follow these steps:
- Click on the "Create Record Set" button.
- Fill in the name, type, and value fields. The name should be the IP address in reverse order. For example, if you want to create a reverse record for the IP address
50.40as the name. The type should be
PTR, and the value should be the domain name you want to associate with the IP address. For instance, if you want to associate the IP address
10.123.40.50with the domain name
smtp.example.comas the value.
DNS records for Internal Zones are immediately available to your VPC DNS resolver. You can test this by performing a reverse DNS lookup on the IP address
$ dig -x 10.123.40.50 ;; ANSWER SECTION: 188.8.131.52.in-addr.arpa. 300 IN PTR smtp.example.com.
Reverse DNS lookups are a valuable tool for verifying the authenticity of an IP address. They are commonly employed to validate the source domain of an email, but they can also be used internally to authenticate servers. In this article, we explored the process of configuring reverse DNS lookups in an AWS VPC using Route 53. We also demonstrated how to perform a manual reverse DNS lookup using the
dig command. I hope you found this article informative and useful. If you have any questions or comments, please feel free to reach out.