A reverse lookup zone is an authoritative Domain Name System (DNS) zone that points an IP address to a domain name. Think of it as a shared home phone number. When called, you can contact anyone who lives in the same abode.
While it’s easier for people to remember site names (domain names like microsoft[.]com) instead of number sets (IP addresses like 104[.]215[.]148[.]63), reverse lookup zones are still necessary for cybersecurity investigations. The rationale is that most people and even companies (especially small and medium-sized businesses [SMBs]) use shared IP addresses. Most IP addresses have more than one user, which means several domains are connected to each one.
Read More about “Reverse Lookup Zone”
A reverse lookup zone is the opposite of a forward lookup zone. A reverse lookup zone translates an IP address into one or more domain names. A forward lookup zone, meanwhile, turns a domain name into an IP address.
Before moving onto the nitty-gritty of reverse lookup zones, let’s define some technical terms first.
What Terms Should You Know to Understand What a Reverse Lookup Zone Is?
Here are some basic tech terms related to a reverse lookup zone:
- Authoritative: In the context of DNS, this term refers to the server that holds the information users need to point an IP address to a domain name (forward lookup) and vice versa (reverse lookup).
- DNS: Dubbed the Internet’s phonebook, it translates IP addresses into domain names and vice versa.
- IP address: It is a unique address that identifies a specific device on the Web or a local network. Internet Protocol (IP) refers to the rules that state how to format data to send it via the Internet or a local network.
- Domain name: It is the human-readable version of an IP address. It typically contains the name of the company that owns it.
- Fully qualified domain name (FQDN): It is the complete version of a domain name. An example would be www[.]microsoft[.]com, the FQDN version of microsoft[.]com.
How Does a Reverse Lookup Zone Work?
To perform a reverse lookup, users need to input an IP address into a reverse IP lookup tool. Keying in the IP address 104[.]215[.]148[.]63 into the search bar would tell you that its corresponding FQDN is www[.]microsoft[.]com.
In the background, a reverse lookup zone tool asks a DNS server to look for an FQDN the IP address points to. If the server has that on record, it returns the corresponding FQDN. Here’s a video showing a reverse lookup zone in action:
What Is a PTR Record and Why Does a Reverse Lookup Zone Need It?
A pointer (PTR) record lets users check if an email really originates from the IP address it claims to use. It is a cybersecurity tool. In the example, your mail server checks the PTR record that comes with the message. The PTR record contains the sender’s mail server. The server’s domain should match the IP address’s FQDN. If they don’t, the sender could be spoofing someone else’s domain, which occurs in phishing and other malware-based attacks.
Reverse lookups use PTR records as sender IDs. Note that secure mail servers don’t typically accept messages from senders whose IP addresses don’t match those indicated in their PTR records.
A PTR record is created by filling up this form:
What Can You Use Reverse Lookup Zones For?
As mentioned earlier, reverse lookup zones have a lot to do with cybersecurity.
Email servers use them to keep spammers and other cybercriminals out. Reverse lookups check senders’ PTR records to see if the messages really originate from the mail servers they claim to be from.
Reverse lookups also let recipients log data obtained from PTR records, which is useful when determining likely threat sources. Users can pinpoint which IP addresses are at fault should a malware infection occur. They can also identify all the domains hosted on an IP address to block these if they don’t want to enable IP-level filtering.
For cybersecurity professionals, reverse lookups help identify other potential threat sources. All the domains that share an IP host can go through malware checks. All those that are dubbed “malicious” can then be individually blocked.
Now you know what a reverse lookup zone is, how it works, and what it’s for. You just learned that it was designed specifically for strengthening cybersecurity.