Pfsense and PTR

  • I tried to search this forum and google for the information about how to set PTR records. Right now we are actually own few class C, but they are controled by Mikrotik which do not have a capability to add PTR record for IP address.
    Also, since we started hosting other people webpages we got few complaints that their mail is not delivered to it's destination. Further investigation showed that it's because of missing PTR. I've looked and googled and tried to set PTR record on our server, but setting up PTR record, it seems, is done on the router that control IP adresses (in our case its Mikrotik) and not on the server that host other people websites. I'm I getting this right? Also, will pfsense help us set this PTR record if all IP adresses are controled by it.
    Thank you very much.

  • I really don't want to be annoying or anything like that, but PTR or reverse DNS thing is really new to us and we searched not only this site to find the answer we are looking for. It's like everyone managed to set it up but no one knows how. Wherever I asked about the PTR I got the same answer : your Datacentar that holds your IP's has to set PTR for you. Ok, so we asked the people responsible for delivering us those IP's and they said that we hold those IP's and that we have to set it up. This is like a magic circle, no beginning and no end. It's frustrating a little bit, but I'm sure someone has simple answer. Plus, if someone here ever set up PTR and write a little how-to I think it would be valuable info for everyone. :D

  • LAYER 8 Global Moderator

    You can set the PTR just fine on pfsense dns forwarder.  It will be there by default actually - see attached image

    But your problem sounds like its a public IP, to set a ptr for your public IP you need to have the people that control the netblock with say in the US this is controlled by arin, and you can lookup who controls your IP range using simple whois

    so for example here is my public IP PTR - snipped the last couple of octets for privacy

    ;     IN      PTR

    ;; ANSWER SECTION: 7200 IN      PTR

    This netblock is owned by comcast


    The following results may also be obtained via:;q=

    Comcast Cable Communications ILLINOIS-14 (NET-24-12-0-0-1) -
    Comcast Cable Communications, Inc. EASTERNSHORE-1 (NET-24-0-0-0-1) -

    ARIN WHOIS data and services are subject to the Terms of Use

    available at:

    You can find the NS for your PTR zone via simple NS query

    ; <<>> DiG 9.9.0 <<>> NS
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29240
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

    ; EDNS: version: 0, flags:; udp: 4000
    ;            IN      NS

    ;; ANSWER SECTION:     7200    IN      NS     7200    IN      NS     7200    IN      NS     7200    IN      NS     7200    IN      NS

    ;; ADDITIONAL SECTION:     6205    IN      A     1540    IN      AAAA    2001:558:100e:5:68:87:72:244     451     IN      A     1627    IN      AAAA    2001:558:1014:c:68:87:76:228     6194    IN      A     1530    IN      AAAA    2001:558:1004:7:68:87:85:132     6025    IN      A     740     IN      AAAA    2001:558:1002🅰68:87:29:164     6456    IN      A     1692    IN      AAAA    2001:558:100a:5:68:87:68:244

    ;; Query time: 16 msec
    ;; SERVER:
    ;; WHEN: Sat Mar 17 13:34:49 2012
    ;; MSG SIZE  rcvd: 383

    So comcast has to set this up, you can a +trace to see how it all works

    I snipped it up a bit – but you can do it with your own IPs -- or post one and I can look it up for you.

    example of mine, again snipped out couple octets for privacy (

    ; <<>> DiG 9.9.0 <<>> -x 24.13.xx.xx +trace
    ;; global options: +cmd
    .                       87626   IN      NS
    .                       87626   IN      NS
    .                       87626   IN      NS

    ;; Received 857 bytes from in 239 ms

    snipped           172800  IN      NS           172800  IN      NS           172800  IN      NS
    ;; Received 642 bytes from in 338 ms

    snipped        86400   IN      NS        86400   IN      NS        86400   IN      NS        86400   IN      NS
    ;; Received 398 bytes from in 272 ms

    snipped     86400   IN      NS     86400   IN      NS     86400   IN      NS     86400   IN      NS     86400   IN      NS
    ;; Received 386 bytes from in 261 ms 7200 IN      PTR 7200    IN      NS 7200    IN      NS 7200    IN      NS 7200    IN      NS 7200    IN      NS
    ;; Received 207 bytes from in 222 ms

    So a query for a PTR asks root servers, then asks the roots for (reverse zones), which says hey arin owns this space, go ask them who does dns for those ranges.  Arin NS tell say go ask comcast nameservers, which says hey ask one of these specific name servers for example -- which has the PTR record for your IP which falls into this netblock.

    Hope that helps you understand how it works.. If not I can try some more, If you want just post your IP and I can tell you where to go get the PTR setup, or if you dont want to post public - PM it too me and I send back the info.

  • LAYER 8 Global Moderator

    Not sure if my PM went, so I will leave out the part about your network and who owns.  But what I can say publicly is it managed by RIPE, so you need to contact them.. I see no delegation setup for the reverse of that network        3600    IN      SOA 1332042675 3600 600 864000 7200
    ;; Received 103 bytes from in 187 ms

    Get with RIPE, since it sure looks like the netblock is registered to you.  But no delegation setup for your reverse

    But I don't think it will be possible to get that running by Monday..

  • Thanks, I just PM you regarding this issue. I will reply on this thread as soon as we get official response from RIPE regarding reverse DNS.

Log in to reply