Reverse DNS lookups in an AWS VPC

Discover the value of reverse DNS lookups for IP verification & server authentication. Configuring AWS Route 53 for internal reverse DNS explained.

Reverse DNS lookups in an AWS VPC
Published: 2023-07-12
4 minute read

The increasing adoption of cloud technology by companies reveals that many are not fully prepared for cloud migration. While this is not necessarily a negative thing, it does indicate the need for certain measures to ensure successful cloud implementation. One such measure is the utilization of reverse DNS lookups.

What is a reverse DNS lookup?

A reverse DNS lookup is the opposite of a normal DNS lookup. Instead of taking a domain name and returning an IP address, a reverse DNS lookup takes an IP address and returns a domain name. This process is valuable for various reasons, with the most common being IP address verification. It is commonly used to validate the authenticity of email sources by confirming they originate from the claimed domain. Additionally, reverse DNS lookups can be used internally to verify the legitimacy of a server.

An example of an application relying on reverse DNS lookups is the PostgreSQL database. PostgreSQL utilizes reverse DNS lookups to authenticate the client's IP address. If the IP address is found to be different than expected, PostgreSQL rejects the connection. This security feature prevents attackers from falsifying the IP address of a client.

How does a reverse DNS lookup work?

To understand reverse DNS lookups, let's perform one to observe the process. We can conduct a reverse DNS lookup on the IP address 193.110.81.0 using the dig command:

$ dig -x 193.110.81.0

;; ANSWER SECTION:
0.81.110.193.in-addr.arpa. 119  IN      PTR     dns0.eu.

As evident from the output, the reverse DNS lookup returns the domain name dns0.eu. Notice how the provided IP address is reversed and appended to the in-addr.arpa domain. This is the standard approach for performing reverse DNS lookups. You can manually construct this by reversing the IP address and prepending it to the domain in-addr.arpa. For instance, the IP address 44.238.46.144 would become 144.46.238.44.in-addr.arpa. Conducting a DNS lookup on this domain yields the reverse DNS lookup result. The record type used for reverse DNS lookups is PTR, which stands for pointer. The PTR record points to the domain name associated with the IP address.

You can perform a manual reverse DNS lookup using the dig command:

$ dig 144.46.238.44.in-addr.arpa PTR

;; ANSWER SECTION:
144.46.238.44.in-addr.arpa. 33	IN	PTR	smtp02.us-west-2.mail-perimeter.amazon.com.

How do I configure reverse DNS lookups in AWS?

AWS provides a service called Route 53, allowing you to configure DNS records for your domain. You can leverage this service to configure reverse DNS lookups for your domain. However, it requires creating an Internal Hosted Zone since the requests in this example are internal to the VPC. Follow these steps to create an Internal Hosted Zone:

  1. Go to the Route 53 console.
  2. Click on the "Create Hosted Zone" button.
  3. Enter the domain name and a comment when prompted. The domain name should include the first two or three octets, depending on the size of the CIDR block you want to create reverse records for. For instance, if you aim to create reverse records for the CIDR block 10.123.0.0/16, enter 123.10.in-addr.arpa as the domain name. The comment is optional, but providing one is recommended for easy identification of the Hosted Zone later.

Once the Hosted Zone is created, you need to create a record set for each IP address in the CIDR block. Follow these steps:

  1. Click on the "Create Record Set" button.
  2. Fill in the name, type, and value fields. The name should be the IP address in reverse order. For example, if you want to create a reverse record for the IP address 10.123.40.50, enter 50.40 as the name. The type should be PTR, and the value should be the domain name you want to associate with the IP address. For instance, if you want to associate the IP address 10.123.40.50 with the domain name smtp.example.com, enter smtp.example.com as the value.

DNS records for Internal Zones are immediately available to your VPC DNS resolver. You can test this by performing a reverse DNS lookup on the IP address 10.123.40.50:

$ dig -x 10.123.40.50

;; ANSWER SECTION:
50.40.123.10.in-addr.arpa. 300 IN	PTR	smtp.example.com.

Conclusion

Reverse DNS lookups are a valuable tool for verifying the authenticity of an IP address. They are commonly employed to validate the source domain of an email, but they can also be used internally to authenticate servers. In this article, we explored the process of configuring reverse DNS lookups in an AWS VPC using Route 53. We also demonstrated how to perform a manual reverse DNS lookup using the dig command. I hope you found this article informative and useful. If you have any questions or comments, please feel free to reach out.