How to Configure Reverse DNS for IPv6

Overview

Reverse DNS (rDNS) is the process of resolving an IP address back to a hostname using DNS PTR (pointer) records. While conceptually similar to IPv4 reverse DNS, IPv6 reverse DNS has unique characteristics due to the vastly larger address space and different notation requirements. This guide covers everything you need to know about configuring IPv6 reverse DNS, from understanding the ip6.arpa domain structure to practical implementation in various environments.

Before configuring reverse DNS, you should verify your IPv6 connectivity is working properly. Tools like test-ipv6.run can help you confirm your IPv6 setup is functional before adding reverse DNS records.

Understanding IPv6 Reverse DNS Basics

The ip6.arpa Domain

IPv6 reverse DNS uses the special domain ip6.arpa (analogous to in-addr.arpa for IPv4). When performing a reverse lookup, an IPv6 address is converted into a special format and queried under this domain to retrieve the corresponding PTR record.

Nibble Format Explained

The key difference between IPv4 and IPv6 reverse DNS is the "nibble format" used for IPv6. A nibble represents 4 bits (one hexadecimal digit) of the address. IPv6 reverse DNS zones must be created on nibble boundaries, meaning zone delegations occur at prefix lengths divisible by 4 (e.g., /124, /120, /116, /112, /64, /48, /32).

Converting IPv6 Addresses to Reverse Format

The conversion process involves several steps:

1. Expand the IPv6 address - Remove all abbreviations and represent every hexadecimal digit
2. Remove colons - Create a continuous 32-character hex string
3. Reverse the string - Reverse the entire sequence character by character
4. Insert dots - Place a dot between each character
5. Append .ip6.arpa - Add the reverse DNS domain suffix

Example:

IPv6 Address:    2001:db8::567:89ab
Expanded:        2001:0db8:0000:0000:0000:0000:0567:89ab
Remove colons:   20010db8000000000000000005678ab
Reverse:         ba9876500000000000000008bd01002
Add dots:        b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2
Final format:    b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

This unwieldy 72-character domain name is what DNS servers query to retrieve the PTR record for the IPv6 address.

Configuring IPv6 Reverse DNS in BIND

BIND (Berkeley Internet Name Domain) is the most widely used DNS server software. Here's how to configure IPv6 reverse DNS in BIND 9.

Zone Configuration in named.conf

For a /48 IPv6 allocation (e.g., 2001:db8::/48), add the following to your named.conf:

zone "8.b.d.0.1.0.0.2.ip6.arpa" {
    type master;
    file "/etc/bind/db.2001:db8";
    allow-update { none; };
};

For a /64 prefix (2001:db8:1234:5678::/64):

zone "8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa" {
    type master;
    file "/etc/bind/db.2001:db8:1234:5678";
    allow-update { none; };
};

Zone File Format

Create the zone file (/etc/bind/db.2001:db8:1234:5678) with the following format:

$TTL 86400
@   IN  SOA ns1.example.com. hostmaster.example.com. (
            2025102001  ; Serial (YYYYMMDDNN)
            3600        ; Refresh
            1800        ; Retry
            604800      ; Expire
            86400 )     ; Minimum TTL

; Name servers
    IN  NS  ns1.example.com.
    IN  NS  ns2.example.com.

; PTR records for specific hosts
; 2001:db8:1234:5678::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0    IN  PTR  server1.example.com.

; 2001:db8:1234:5678::10
0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0    IN  PTR  server2.example.com.

; 2001:db8:1234:5678::100
0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0    IN  PTR  server3.example.com.

; 2001:db8:1234:5678::abcd:ef01
1.0.f.e.d.c.b.a.0.0.0.0.0.0.0.0    IN  PTR  webserver.example.com.

Using $ORIGIN for Convenience

To reduce repetition, use the $ORIGIN directive:

$ORIGIN 8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa.
$TTL 86400

@   IN  SOA ns1.example.com. hostmaster.example.com. (
            2025102001 3600 1800 604800 86400 )
    IN  NS  ns1.example.com.
    IN  NS  ns2.example.com.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  server1.example.com.
0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  server2.example.com.

Configuration in Other DNS Servers

PowerDNS

PowerDNS can manage IPv6 PTR records through its backend database or zone files. For zone files:

$ORIGIN 8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa.
@       IN  SOA  ns1.example.com. admin.example.com. (
                 2025102001 10800 3600 604800 3600 )
        IN  NS   ns1.example.com.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR  host.example.com.

NSD (Name Server Daemon)

In nsd.conf:

zone:
    name: "8.b.d.0.1.0.0.2.ip6.arpa"
    zonefile: "/etc/nsd/zones/2001-db8-reverse.zone"

The zone file format is similar to BIND.

dnsmasq

For smaller deployments, dnsmasq can handle reverse DNS with simple configuration:

host-record=server1.example.com,2001:db8:1234:5678::1
ptr-record=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa,server1.example.com

Or use the automatic reverse DNS feature:

# Forward and reverse will be automatically created
host-record=server1.example.com,2001:db8:1234:5678::1

Delegation Considerations

Understanding Delegation Authority

Most organizations do not directly control their IPv6 reverse DNS zones. The Regional Internet Registry (RIR) or Internet Service Provider (ISP) that allocated your IPv6 address space maintains authority over the reverse DNS delegation.

Delegation Boundaries

IPv6 reverse DNS can be delegated at any nibble boundary:

• /32 - Typical ISP allocation (16 hex digits)
• /48 - Common enterprise allocation (12 hex digits)
• /56 - Small business allocation (11 hex digits)
• /64 - Standard subnet size (8 hex digits)

If your prefix length is not on a nibble boundary (e.g., /52 or /60), you must use the next larger nibble boundary (/48 or /56 respectively) for delegation.

Requesting Delegation from Your ISP

To get reverse DNS delegated to your own nameservers:

1. Identify your allocation - Determine your IPv6 prefix and prefix length
2. Set up authoritative nameservers - Configure at least two nameservers to host your reverse zone
3. Contact your ISP or RIR - Request delegation by providing:
   • Your IPv6 prefix
   • Fully qualified domain names of your nameservers
   • IPv4 and IPv6 addresses of your nameservers (glue records)
4. Test the delegation - Verify NS records are in place before finalizing

Example Delegation Request

IPv6 Prefix: 2001:db8:1234::/48
Nameservers:
  - ns1.example.com (192.0.2.10, 2001:db8:1234::10)
  - ns2.example.com (192.0.2.11, 2001:db8:1234::11)

Requested zone: 4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa

ISP and Hosting Provider Setup

Using ISP-Managed Reverse DNS

Many ISPs provide web interfaces or APIs to configure reverse DNS without requiring full zone delegation:

Web Control Panel Method:

1. Log into your ISP's control panel
2. Navigate to IPv6 or DNS management section
3. Enter the IPv6 address and desired hostname
4. Save and wait for propagation (usually minutes to hours)

API Method (varies by provider):

# Example using a hypothetical API
curl -X POST https://api.isp.example/v1/rdns \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "ipv6": "2001:db8:1234:5678::1",
    "hostname": "server1.example.com"
  }'

Cloud Provider Examples

AWS (Amazon Web Services):

• EC2 instances receive automatic reverse DNS matching the AWS-assigned hostname
• Custom reverse DNS requires opening a support ticket with justification
• IPv6 reverse DNS is not automatically configured for all regions

Google Cloud Platform:

• Reverse DNS is automatically configured for VM instances
• Custom PTR records can be set via Cloud DNS if you manage the reverse zone
• External IPv6 addresses get auto-generated reverse DNS

DigitalOcean:

• Droplets receive automatic reverse DNS
• Custom reverse DNS can be set in the control panel under networking settings
• Changes propagate within minutes

Linode:

• Automatic reverse DNS for all IPv6 addresses in your allocation
• Editable through Cloud Manager or API
• Supports both /64 and /56 allocations

Dedicated Server and Colocation

For dedicated servers or colocation:

1. Request LOA (Letter of Authorization) - Document proving you have rights to use the IP space
2. Set up authoritative nameservers - Must be reachable and properly configured
3. Submit delegation request - Provide nameserver details to datacenter or ISP
4. Verify glue records - Ensure parent zone has NS and AAAA records for your nameservers

Email Server Configuration

Proper reverse DNS is critical for email server deliverability, especially as mail providers increasingly support IPv6:

Requirements for Email Servers

1. Forward-Confirmed Reverse DNS (FCrDNS) - PTR record must match forward lookup
2. SPF records - Include IPv6 addresses in your SPF policy
3. Consistent records - EHLO hostname should match PTR record

Example Email Server Configuration

PTR Record:

; 2001:db8:1234::25
5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa.
    IN  PTR  mail.example.com.

Forward Record (AAAA):

mail.example.com.    IN  AAAA  2001:db8:1234::25

SPF Record:

example.com.  IN  TXT  "v=spf1 ip4:192.0.2.0/24 ip6:2001:db8:1234::/48 -all"

Verification for Mail Servers

Major email providers check reverse DNS:

• Google Gmail requires valid PTR records for IPv6 connections
• Microsoft requires FCrDNS for IPv6 mail delivery
• Yahoo and AOL perform PTR lookups on IPv6 connections

Verification Methods

Using dig Command

The most reliable verification method uses the dig command with the -x flag:

# Basic reverse lookup
dig -x 2001:db8:1234:5678::1

# Query specific nameserver
dig -x 2001:db8:1234:5678::1 @8.8.8.8

# Short output
dig -x 2001:db8:1234:5678::1 +short

Expected output:

server1.example.com.

Using nslookup Command

nslookup 2001:db8:1234:5678::1

Expected output:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa
    name = server1.example.com.

Using host Command

host 2001:db8:1234:5678::1

Expected output:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa domain name pointer server1.example.com.

Verifying Forward-Confirmed Reverse DNS

To ensure FCrDNS is properly configured:

# Step 1: Get the hostname from reverse lookup
HOSTNAME=$(dig -x 2001:db8:1234:5678::1 +short)

# Step 2: Lookup the IPv6 address for that hostname
dig $HOSTNAME AAAA +short

# Should return: 2001:db8:1234:5678::1

Online Verification Tools

Several online tools can verify your IPv6 reverse DNS configuration:

• test-ipv6.run - Comprehensive IPv6 connectivity testing (check your setup first)
• whatsmydns.net - Global DNS propagation checker with IPv6 support
• dnschecker.org - Reverse DNS lookup tool
• mxtoolbox.com - Email-focused reverse DNS verification

Debugging Failed Lookups

If reverse DNS is not working:

1. Check zone delegation:

   dig NS 8.b.d.0.1.0.0.2.ip6.arpa
   

2. Query authoritative nameserver directly:

   dig -x 2001:db8:1234:5678::1 @ns1.example.com
   

3. Verify zone serial number updated:

   dig SOA 8.b.d.0.1.0.0.2.ip6.arpa
   

4. Check for DNSSEC issues:

   dig -x 2001:db8:1234:5678::1 +dnssec
   

5. Test from multiple resolvers:

   dig -x 2001:db8:1234:5678::1 @8.8.8.8        # Google
   dig -x 2001:db8:1234:5678::1 @1.1.1.1        # Cloudflare
   dig -x 2001:db8:1234:5678::1 @208.67.222.222 # OpenDNS
   

Best Practices and Common Pitfalls

Best Practices

1. Use automation - The vast IPv6 space makes manual configuration impractical at scale
2. Implement FCrDNS - Ensure forward and reverse records match
3. Document your zones - Keep clear records of your reverse DNS configuration
4. Monitor expiration - Set up alerts for zone serial number updates
5. Test before deployment - Verify records work before putting services into production
6. Use dynamic DNS - For frequently changing environments, consider dynamic DNS solutions
7. Delegate to customers - ISPs should delegate reverse DNS to enterprise customers when possible

Common Pitfalls

1. Non-nibble boundaries - Attempting delegation at /52 or /60 instead of /48 or /64
2. Typos in nibble format - Easy to make mistakes with 32-character reversed names
3. Forgetting the trailing dot - PTR records should end with a dot (e.g., example.com.)
4. Inconsistent records - Forward and reverse DNS not matching
5. Missing NS records - Delegation not properly configured at parent zone
6. Firewall blocking UDP/53 - DNS queries unable to reach nameservers
7. Neglecting IPv6 - Configuring IPv4 reverse DNS but ignoring IPv6

Scaling Considerations

The enormous size of IPv6 address space creates unique challenges:

• A /64 subnet contains 18.4 quintillion addresses
• Creating PTR records for every possible address is impractical
• Consider these approaches:
  • On-demand generation - Create PTR records dynamically as requested
  • Wildcard records - Use wildcards for large ranges (not widely supported)
  • Template-based - Generate hostnames algorithmically from IP addresses
  • Database-backed DNS - Use PowerDNS or similar with database backends

Conclusion

Configuring IPv6 reverse DNS requires understanding the nibble format, proper zone delegation, and coordination with your ISP or hosting provider. While the concepts are similar to IPv4, the scale and complexity of IPv6 addressing demand more careful planning and often automation.

For most users, the simplest path is using ISP-provided reverse DNS management tools or requesting delegation to your own nameservers for larger deployments. Email server operators should prioritize forward-confirmed reverse DNS to ensure deliverability.

Before configuring reverse DNS, always verify your IPv6 connectivity is working correctly using tools like test-ipv6.run. Proper reverse DNS configuration, combined with good IPv6 connectivity, ensures your services are accessible and trusted across the modern internet.

Additional Resources

• RFC 3596 - DNS Extensions to Support IPv6
• RFC 8501 - Reverse DNS in IPv6 for Internet Service Providers
• BIND 9 Documentation - https://bind9.readthedocs.io/
• RIPE NCC Reverse DNS Guide - https://docs.db.ripe.net/
• ARIN Reverse DNS - https://www.arin.net/resources/manage/reverse/
• test-ipv6.run - Test your IPv6 connectivity before configuring reverse DNS