Pfsense and PTR



  • I tried to search this forum and google for the information about how to set PTR records. Right now we are actually own few class C, but they are controled by Mikrotik which do not have a capability to add PTR record for IP address.
    Also, since we started hosting other people webpages we got few complaints that their mail is not delivered to it's destination. Further investigation showed that it's because of missing PTR. I've looked and googled and tried to set PTR record on our server, but setting up PTR record, it seems, is done on the router that control IP adresses (in our case its Mikrotik) and not on the server that host other people websites. I'm I getting this right? Also, will pfsense help us set this PTR record if all IP adresses are controled by it.
    Thank you very much.



  • I really don't want to be annoying or anything like that, but PTR or reverse DNS thing is really new to us and we searched not only this site to find the answer we are looking for. It's like everyone managed to set it up but no one knows how. Wherever I asked about the PTR I got the same answer : your Datacentar that holds your IP's has to set PTR for you. Ok, so we asked the people responsible for delivering us those IP's and they said that we hold those IP's and that we have to set it up. This is like a magic circle, no beginning and no end. It's frustrating a little bit, but I'm sure someone has simple answer. Plus, if someone here ever set up PTR and write a little how-to I think it would be valuable info for everyone. :D


  • LAYER 8 Global Moderator

    You can set the PTR just fine on pfsense dns forwarder.  It will be there by default actually - see attached image

    But your problem sounds like its a public IP, to set a ptr for your public IP you need to have the people that control the netblock with say in the US this is controlled by arin, and you can lookup who controls your IP range using simple whois

    so for example here is my public IP PTR - snipped the last couple of octets for privacy

    ;; QUESTION SECTION:
    ;xx.xx.13.24.in-addr.arpa.     IN      PTR

    ;; ANSWER SECTION:
    xx.xx.13.24.in-addr.arpa. 7200 IN      PTR     c-24-13-xx-xx.hsd1.il.comcast.net.

    This netblock is owned by comcast

    whois 24.13.0.0

    The following results may also be obtained via:

    http://whois.arin.net/rest/nets;q=24.13.0.0?showDetails=true&showARIN=false&ext=netref2

    Comcast Cable Communications ILLINOIS-14 (NET-24-12-0-0-1) 24.12.0.0 - 24.15.255.255
    Comcast Cable Communications, Inc. EASTERNSHORE-1 (NET-24-0-0-0-1) 24.0.0.0 - 24.15.255.255

    ARIN WHOIS data and services are subject to the Terms of Use

    available at: https://www.arin.net/whois_tou.html

    You can find the NS for your PTR zone via simple NS query

    ; <<>> DiG 9.9.0 <<>> 13.24.in-addr.arpa NS
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29240
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;13.24.in-addr.arpa.            IN      NS

    ;; ANSWER SECTION:
    13.24.in-addr.arpa.     7200    IN      NS      dns104.comcast.net.
    13.24.in-addr.arpa.     7200    IN      NS      dns105.comcast.net.
    13.24.in-addr.arpa.     7200    IN      NS      dns103.comcast.net.
    13.24.in-addr.arpa.     7200    IN      NS      dns102.comcast.net.
    13.24.in-addr.arpa.     7200    IN      NS      dns101.comcast.net.

    ;; ADDITIONAL SECTION:
    dns105.comcast.net.     6205    IN      A       68.87.72.244
    dns105.comcast.net.     1540    IN      AAAA    2001:558:100e:5:68:87:72:244
    dns103.comcast.net.     451     IN      A       68.87.76.228
    dns103.comcast.net.     1627    IN      AAAA    2001:558:1014:c:68:87:76:228
    dns102.comcast.net.     6194    IN      A       68.87.85.132
    dns102.comcast.net.     1530    IN      AAAA    2001:558:1004:7:68:87:85:132
    dns101.comcast.net.     6025    IN      A       68.87.29.164
    dns101.comcast.net.     740     IN      AAAA    2001:558:1002🅰68:87:29:164
    dns104.comcast.net.     6456    IN      A       68.87.68.244
    dns104.comcast.net.     1692    IN      AAAA    2001:558:100a:5:68:87:68:244

    ;; Query time: 16 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Sat Mar 17 13:34:49 2012
    ;; MSG SIZE  rcvd: 383

    So comcast has to set this up, you can a +trace to see how it all works

    I snipped it up a bit – but you can do it with your own IPs -- or post one and I can look it up for you.

    example of mine, again snipped out couple octets for privacy (

    ; <<>> DiG 9.9.0 <<>> -x 24.13.xx.xx +trace
    ;; global options: +cmd
    snipped
    .                       87626   IN      NS      m.root-servers.net.
    .                       87626   IN      NS      a.root-servers.net.
    .                       87626   IN      NS      b.root-servers.net.

    ;; Received 857 bytes from 192.168.1.253#53(192.168.1.253) in 239 ms

    snipped
    in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.
    ;; Received 642 bytes from 192.36.148.17#53(192.36.148.17) in 338 ms

    snipped
    24.in-addr.arpa.        86400   IN      NS      y.arin.net.
    24.in-addr.arpa.        86400   IN      NS      x.arin.net.
    24.in-addr.arpa.        86400   IN      NS      t.arin.net.
    24.in-addr.arpa.        86400   IN      NS      z.arin.net.
    ;; Received 398 bytes from 199.212.0.73#53(199.212.0.73) in 272 ms

    snipped
    13.24.in-addr.arpa.     86400   IN      NS      dns104.comcast.net.
    13.24.in-addr.arpa.     86400   IN      NS      dns102.comcast.net.
    13.24.in-addr.arpa.     86400   IN      NS      dns103.comcast.net.
    13.24.in-addr.arpa.     86400   IN      NS      dns101.comcast.net.
    13.24.in-addr.arpa.     86400   IN      NS      dns105.comcast.net.
    ;; Received 386 bytes from 199.253.249.63#53(199.253.249.63) in 261 ms

    20.176.xx.xx.in-addr.arpa. 7200 IN      PTR     c-24-13-xx-xx.hsd1.il.comcast.net.
    176.13.24.in-addr.arpa. 7200    IN      NS      dns104.comcast.net.
    176.13.24.in-addr.arpa. 7200    IN      NS      dns105.comcast.net.
    176.13.24.in-addr.arpa. 7200    IN      NS      dns101.comcast.net.
    176.13.24.in-addr.arpa. 7200    IN      NS      dns102.comcast.net.
    176.13.24.in-addr.arpa. 7200    IN      NS      dns103.comcast.net.
    ;; Received 207 bytes from 68.87.72.244#53(68.87.72.244) in 222 ms

    So a query for a PTR asks root servers, then asks the roots for in-addr.arpa (reverse zones), which says hey arin owns this space, go ask them who does dns for those ranges.  Arin NS tell say go ask comcast nameservers, which says hey ask one of these specific name servers dns105.comcast.net for example -- which has the PTR record for your IP which falls into this netblock.

    Hope that helps you understand how it works.. If not I can try some more, If you want just post your IP and I can tell you where to go get the PTR setup, or if you dont want to post public - PM it too me and I send back the info.



  • LAYER 8 Global Moderator

    Not sure if my PM went, so I will leave out the part about your network and who owns.  But what I can say publicly is it managed by RIPE, so you need to contact them.. I see no delegation setup for the reverse of that network

    91.in-addr.arpa.        3600    IN      SOA    pri.authdns.ripe.net. dns.ripe.net. 1332042675 3600 600 864000 7200
    ;; Received 103 bytes from 202.12.28.140#53(202.12.28.140) in 187 ms

    Get with RIPE, since it sure looks like the netblock is registered to you.  But no delegation setup for your reverse

    http://www.ripe.net/data-tools/dns/reverse-dns/how-to-set-up-reverse-delegation

    But I don't think it will be possible to get that running by Monday..



  • Thanks, I just PM you regarding this issue. I will reply on this thread as soon as we get official response from RIPE regarding reverse DNS.


Log in to reply