How to really set up reverse DNS for a droplet.

July 1, 2015 6k views
DNS Email FreeBSD

In order to have one's emails processed correctly, a valid reverse DNS entry is needed. Supposedly, a reverse DNS entry is automatically created using the name that is given to a droplet, and when you change it, the new name is associated with the IP address. In doing an "nslookup" on the IP address for my droplet, the following message is displayed:

** server can't find 000.000.000.000.in-addr.arpa.: NXDOMAIN

I do have my own DNS servers where foreward DNS for the droplet resides. What is the correct way to have a valid reverse DNS entry created?

1 Answer

Are you sure you're doing the NS Lookup correctly?

Here's an example:

nslookup
Default Server:  8.8.8.8
Address:  8.8.8.8

> set type=PTR
> 1.2.3.4
Non-authoritative answer:
Server:  8.8.8.8
Address:  8.8.8.8

4.3.2.1.in-addr.arpa     name = example.com

As you can see, I do this:

set type=PTR

EDIT I didn't really answer your question, did I?

If you did the lookup correctly, and the PTR isn't reflecting for that IP address, it will either be due to your DNS caching server, or an issue at DO. If you're sure it's not working (check here), open a ticket with DO support.

  • Setting type=PTR gets the same result! This is the lookup using "host:"

    host 12.34.56.78
    Host 87.65.43.21.in-addr.arpa not found: 3(NXDOMAIN)

    And here it is when executed in the droplet:

    host 12.34.56.78
    Host 87.65.43.21.in-addr.arpa not found: 5(REFUSED)

    NSLOOKUP is not available with FreeBSD 10.1.

    One of my domains is: elib.com ... the droplet name is db.elib.com.

    Using the tool you suggest, it responds:

    No PTR record found
    Reported by ns2.digitalocean.com on 7/1/2015 at 9:21:46 AM (UTC -5),

  • elib.com points to 216.150.225.22, and:

    ~ ➤ host 216.150.225.22
    22.225.150.216.in-addr.arpa domain name pointer www.elib.com.
    

    It looks like it's working properly? Or are you talking about a different droplet? db.elib.com does not resolve to anything.

  • Unfortunately, it sounds like you'll need to get in touch with DO support.

  • Well, this just got interesting.

    ping db.elib.com
    PING db.elib.com.com (54.201.82.69) 56(84) bytes of data.
    ^C
    --- db.elib.com.com ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 97ms
    
    user@host:~# nslookup
    > set type=PTR
    > 54.201.82.69
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    69.82.201.54.in-addr.arpa       name = ec2-54-201-82-69.us-west-2.compute.amazonaws.com.
    
    Authoritative answers can be found from:
    >
    

    That was for db.elib.com. It shows that db.elib.com goes back to amazon, not DO.

    Now, on to your TLD:

    > elib.com
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    *** Can't find elib.com: No answer
    
    Authoritative answers can be found from:
    elib.com
            origin = dns.elib.com
            mail addr = elibrarian.elib.com
            serial = 2015062901
            refresh = 3600
            retry = 900
            expire = 1209600
            minimum = 3600
    > 
    
    user@host:~# ping elib.com
    PING elib.com (12.150.45.122) 56(84) bytes of data.
    64 bytes from www1.elib.com (12.150.45.122): icmp_seq=1 ttl=52 time=66.3 ms
    ^C
    --- elib.com ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 340ms
    rtt min/avg/max/mdev = 66.300/66.300/66.300/0.000 ms
    user@host:~# nslookup
    > set type=PTR
    > 12.150.45.122
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    122.45.150.12.in-addr.arpa      canonical name = 122.64/26.45.150.12.in-addr.arpa.
    122.64/26.45.150.12.in-addr.arpa        name = www1.elib.com.
    
    Authoritative answers can be found from:
    >
    

    OK, so your DNS for elib.com is handled by dns.elib.com. Let's check that sub-domain:

    user@host:~# ping dns.elib.com
    PING dns.elib.com (216.150.225.16) 56(84) bytes of data.
    64 bytes from dns.elib.com (216.150.225.16): icmp_seq=1 ttl=53 time=83.5 ms
    ^C
    --- dns.elib.com ping statistics ---
    2 packets transmitted, 1 received, 50% packet loss, time 1049ms
    rtt min/avg/max/mdev = 83.529/83.529/83.529/0.000 ms
    user@host:~# nslookup
    > set type=PTR
    > 216.150.225.16
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    16.225.150.216.in-addr.arpa     name = dns.elib.com.
    
    Authoritative answers can be found from:
    >
    

    Well, that one looks fine. So, the sub-domain that you're having an issue with isn't handled by DO, but by AWS, so you'll need to ask them for help with this one.

    Oh, and @kamaln7 , thanks. I missed that they had provided their domain in the last message.

    EDIT
    doh! my ping went to db.elib.com.com.

    @kamaln7 is correct. db.elib.com doesn't exist:

    > set type=A
    > db.elib.com
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    ** server can't find db.elib.com: NXDOMAIN
    >
    

    Now, when I do a lookup against your DNS server:

     nslookup db.elib.com dns.elib.com
    Server:         dns.elib.com
    Address:        12.150.45.116#53
    
    Name:   db.elib.com
    Address: 45.55.232.68
    

    OK, so your DNS server sees it. This makes me wonder....

    whois elib.com
    
    .................
    Name Server: EGMONT.ELIB.COM
    Name Server: DNS.ELIB.COM
    

    OK, so what does EGMONT.ELIB.COM say when querried?

    nslookup db.elib.com egmont.elib.com
    Server:         egmont.elib.com
    Address:        12.150.45.118#53
    
    Name:   db.elib.com
    Address: 45.55.232.68
    

    OK. so that works.

    Hm...

    nslookup db.elib.com
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    Name:   db.elib.com
    Address: 45.55.232.68
    

    Ahh. There we go. So, now it's down to PTR records:

    user@host:~# nslookup
    > set type=PTR
    > 45.55.232.68
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    ** server can't find 68.232.55.45.in-addr.arpa.: NXDOMAIN
    

    OK, so we're now back to DO support with this one.

    The reason for the NXDOMAIN on the A record, if I had to guess, would be that the change hadn't propagated.

  • The address for for elib.com you report is about a year old! It was discontinued as we do not have that set of IP addresses, now. It appears the Domain Name Servers you use are woefully out of date. Try this:

    nslookup elib.com dns.elib.com
    or
    host elib.com dns.elib.com
    Using domain server:
    Name: dns.elib.com
    Address: 12.150.45.116#53
    Aliases:

    elib.com has address 12.150.45.122

    And:

    host db.elib.com dns.elib.com
    Using domain server:
    Name: dns.elib.com
    Address: 12.150.45.116#53
    Aliases:

    db.elib.com has address 45.55.232.68

    Please check the names you are looking up: dns.elib.com.com is not valid.

  • I edited my last comment with more info.

    Also, I use google DNS to test against because it's one of the largest ones out there. If I have an issue with it, that's a big problem for you. as of 3 years ago, Google public DNS served 70 billion requests per day. This means if Google has your DNS wrong, there's going to be issues for your customers/viewers to reach you. Period.

    Now, your TTL for your site is set to ~ 6 hours (21599 seconds, where 6 hours is 21600), so any changes will take up to 6 hours to propagate.

    How it retrieved an IP a year old is beyond me.

Have another answer? Share your knowledge.