Pfsense and PTR
I tried to search this forum and google for the information about how to set PTR records. Right now we are actually own few class C, but they are controled by Mikrotik which do not have a capability to add PTR record for IP address.
Also, since we started hosting other people webpages we got few complaints that their mail is not delivered to it's destination. Further investigation showed that it's because of missing PTR. I've looked and googled and tried to set PTR record on our server, but setting up PTR record, it seems, is done on the router that control IP adresses (in our case its Mikrotik) and not on the server that host other people websites. I'm I getting this right? Also, will pfsense help us set this PTR record if all IP adresses are controled by it.
Thank you very much.
I really don't want to be annoying or anything like that, but PTR or reverse DNS thing is really new to us and we searched not only this site to find the answer we are looking for. It's like everyone managed to set it up but no one knows how. Wherever I asked about the PTR I got the same answer : your Datacentar that holds your IP's has to set PTR for you. Ok, so we asked the people responsible for delivering us those IP's and they said that we hold those IP's and that we have to set it up. This is like a magic circle, no beginning and no end. It's frustrating a little bit, but I'm sure someone has simple answer. Plus, if someone here ever set up PTR and write a little how-to I think it would be valuable info for everyone. :D
You can set the PTR just fine on pfsense dns forwarder. It will be there by default actually - see attached image
But your problem sounds like its a public IP, to set a ptr for your public IP you need to have the people that control the netblock with say in the US this is controlled by arin, and you can lookup who controls your IP range using simple whois
so for example here is my public IP PTR - snipped the last couple of octets for privacy
;; QUESTION SECTION:
;xx.xx.13.24.in-addr.arpa. IN PTR
;; ANSWER SECTION:
xx.xx.13.24.in-addr.arpa. 7200 IN PTR c-24-13-xx-xx.hsd1.il.comcast.net.
This netblock is owned by comcast
Comcast Cable Communications ILLINOIS-14 (NET-24-12-0-0-1) 220.127.116.11 - 18.104.22.168
Comcast Cable Communications, Inc. EASTERNSHORE-1 (NET-24-0-0-0-1) 22.214.171.124 - 126.96.36.199
available at: https://www.arin.net/whois_tou.html
You can find the NS for your PTR zone via simple NS query
; <<>> DiG 9.9.0 <<>> 13.24.in-addr.arpa NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29240
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;13.24.in-addr.arpa. IN NS
;; ANSWER SECTION:
13.24.in-addr.arpa. 7200 IN NS dns104.comcast.net.
13.24.in-addr.arpa. 7200 IN NS dns105.comcast.net.
13.24.in-addr.arpa. 7200 IN NS dns103.comcast.net.
13.24.in-addr.arpa. 7200 IN NS dns102.comcast.net.
13.24.in-addr.arpa. 7200 IN NS dns101.comcast.net.
;; ADDITIONAL SECTION:
dns105.comcast.net. 6205 IN A 188.8.131.52
dns105.comcast.net. 1540 IN AAAA 2001:558:100e:5:68:87:72:244
dns103.comcast.net. 451 IN A 184.108.40.206
dns103.comcast.net. 1627 IN AAAA 2001:558:1014:c:68:87:76:228
dns102.comcast.net. 6194 IN A 220.127.116.11
dns102.comcast.net. 1530 IN AAAA 2001:558:1004:7:68:87:85:132
dns101.comcast.net. 6025 IN A 18.104.22.168
dns101.comcast.net. 740 IN AAAA 2001:558:100268:87:29:164
dns104.comcast.net. 6456 IN A 22.214.171.124
dns104.comcast.net. 1692 IN AAAA 2001:558:100a:5:68:87:68:244
;; Query time: 16 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sat Mar 17 13:34:49 2012
;; MSG SIZE rcvd: 383
So comcast has to set this up, you can a +trace to see how it all works
I snipped it up a bit – but you can do it with your own IPs -- or post one and I can look it up for you.
example of mine, again snipped out couple octets for privacy (
;; Received 857 bytes from 192.168.1.253#53(192.168.1.253) in 239 ms
in-addr.arpa. 172800 IN NS e.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS f.in-addr-servers.arpa.
in-addr.arpa. 172800 IN NS c.in-addr-servers.arpa.
;; Received 642 bytes from 126.96.36.199#53(188.8.131.52) in 338 ms
24.in-addr.arpa. 86400 IN NS y.arin.net.
24.in-addr.arpa. 86400 IN NS x.arin.net.
24.in-addr.arpa. 86400 IN NS t.arin.net.
24.in-addr.arpa. 86400 IN NS z.arin.net.
;; Received 398 bytes from 184.108.40.206#53(220.127.116.11) in 272 ms
13.24.in-addr.arpa. 86400 IN NS dns104.comcast.net.
13.24.in-addr.arpa. 86400 IN NS dns102.comcast.net.
13.24.in-addr.arpa. 86400 IN NS dns103.comcast.net.
13.24.in-addr.arpa. 86400 IN NS dns101.comcast.net.
13.24.in-addr.arpa. 86400 IN NS dns105.comcast.net.
;; Received 386 bytes from 18.104.22.168#53(22.214.171.124) in 261 ms
20.176.xx.xx.in-addr.arpa. 7200 IN PTR c-24-13-xx-xx.hsd1.il.comcast.net.
176.13.24.in-addr.arpa. 7200 IN NS dns104.comcast.net.
176.13.24.in-addr.arpa. 7200 IN NS dns105.comcast.net.
176.13.24.in-addr.arpa. 7200 IN NS dns101.comcast.net.
176.13.24.in-addr.arpa. 7200 IN NS dns102.comcast.net.
176.13.24.in-addr.arpa. 7200 IN NS dns103.comcast.net.
;; Received 207 bytes from 126.96.36.199#53(188.8.131.52) in 222 ms
So a query for a PTR asks root servers, then asks the roots for in-addr.arpa (reverse zones), which says hey arin owns this space, go ask them who does dns for those ranges. Arin NS tell say go ask comcast nameservers, which says hey ask one of these specific name servers dns105.comcast.net for example -- which has the PTR record for your IP which falls into this netblock.
Hope that helps you understand how it works.. If not I can try some more, If you want just post your IP and I can tell you where to go get the PTR setup, or if you dont want to post public - PM it too me and I send back the info.
Not sure if my PM went, so I will leave out the part about your network and who owns. But what I can say publicly is it managed by RIPE, so you need to contact them.. I see no delegation setup for the reverse of that network
Get with RIPE, since it sure looks like the netblock is registered to you. But no delegation setup for your reverse
But I don't think it will be possible to get that running by Monday..
Thanks, I just PM you regarding this issue. I will reply on this thread as soon as we get official response from RIPE regarding reverse DNS.