I've lot of *.in-addr.arpa domains requests in my OpenDNS account. I know this should be normal and it's about reverse DNS.
I've been reading here and there but still I can't really get how it works and why I get so much requests (higher number than www.google.com).I'd just need someone that, like Einstein suggested, could explain to me what this reverse DNS is used for like he would explain it to his grandmother.
Reverse DNS is a mapping from an IP address to a DNS name. So it's like DNS, but backwards. If you are assigned IP addresses you have to setup reverse DNS to tell the world what the addresses are used for.
In practice, if you want to know what system is at
216.239.32.10
you design what is called a reverse lookup by reverting the ip address and adding in-addr.arpa to it. So it looks like this:10.32.239.216.in-addr.arpa
. A PTR record should then tell you what system it is. The dig tool automates this with the -x switch.Notice the PTR record. It tells us that
216.239.32.10
is in factns1.google.com
.The short version is that reverse DNS is used to get a domain name from an IP address, while normal DNS is used to get an IP address from a domain name.
The way it actually works is that there's a dummy top-level domain called in-addr.arpa, and to find the domain name for IP address A.B.C.D, the DNS client does a lookup on D.C.B.A.in-addr.arpa. There are various complicated rules for delegation of sub-domains of in-addr.arpa to ensure that those requests go to the correct place. The Wikipedia article is OK, although perhaps a little terse: http://en.wikipedia.org/wiki/Reverse_DNS_lookup.
What it means to you is that if you own a block of IP addresses, and you want to be able to create reverse DNS records for those addresses so that their domain names can be looked up, you need to make sure that whoever you got the block from has set up an appropriate delegation so that you manage a sub-domain of in-addr.arpa and can thus create the appropriate DNS PTR records.
Since you asked for use of reverse DNS, consider the following.
Someone wants to deliver an email to your mail server. It claims to be the server
mail.example.com
. You can than use a reverse lookup to check whether his IP actually belongs to the addressmail.example.com
. If not, you know that there is probably something wrong. If you can not even find a reverse entry, it is even more suspicious. (At least in the last situation the mail will probably be spam and be treated as such by many providers.)The same holds for other connections as well. In fact,
sshd
will mark a connection attempt asPOSSIBLE BREAK-IN ATTEMPT!
if the reverse and forward entry do not match. The default behavior is to ignore it though.