-1

I was looking at the reverse DNS queiers in .pcap files and figured out that their PTR record format might vary. Namely, these are the last element from each line.

I can easily identify IPv4 addresses and reverse them. For example: 46.32.251.142.in-addr.arpa. becomes 142.251.32.46.

However, I see a lot of entries with more dots as: 80.64.132.178.203.in-addr.arpa. --> Question 1: is it possible to extract an IPv4 address from it?

In additional, I encountered (incomplete?) IPv6 addresses as 9.4.3.a.0.0.2.0.1.0.0.2.ip6.arpa. --> Question 2: is this somehow realted to a prefixed address such as: 2001:0200:a349::/48?

Note: I have seen this related question Convert IPV6 to nibble format for PTR records, but it rather argues on the mechanisms how to threat a special case, whih I do not encounter.

NiRvanA
  • 105
  • 1
  • 1
  • 8

1 Answers1

0

However, I see a lot of entries with more dots as: 80.64.132.178.203.in-addr.arpa. --> Question 1: is it possible to extract an IPv4 address from it?

Those are not valid IPv4 rDNS entries. While legal in DNS, they do not have a standard meaning – could be a mistake in someone's rDNS zone generation, etc. – so there is no standard way to extract a standard address from them either.

In additional, I encountered (incomplete?) IPv6 addresses as 9.4.3.a.0.0.2.0.1.0.0.2.ip6.arpa. --> Question 2: is this somehow realted to a prefixed address such as: 2001:0200:a349::/48?

Yes, it could simply be the zone root for a /48. Zone delegation in rDNS works the same way as in regular DNS; if you have a /48, you would set up 9.4.3.a.0.0.2.0.1.0.0.2.ip6.arpa as a zone in your server.

(The same goes for in-addr.arpa; a short domain such as 30.20.10.in-addr.arpa could be the root of an ordinary rDNS zone for a /24. It's only the overly long domains as in your 1st example that are meaningless.)

user1686
  • 13,155
  • 2
  • 35
  • 54
  • Well. I am not sure if the Question 1 is a mistake. I have more than half of my PTR records be in this exact format. I was observing that always the first subcomponent is bigger than the second - here 80 > 64. I found this https://flylib.com/books/en/2.684.1/delegating_reverse_mapping_for_networks_smaller_than_a_24.html, but cannot find explicit example neither in this blog, nor in the RFC. I am starting to speculate it is some zone like 203.178.132.64-80 ... – NiRvanA Aug 09 '23 at 08:45
  • Those examples have a dash, not a dot. That's a bit different. (I'll update the answer regarding those later, but in short it's an internal thing used for CIDR delegation – it is usually not visible to end users, so the format is not set in stone.) – user1686 Aug 09 '23 at 09:03