Reverse Zones for CIDR Delegation

Minimal reverse DNS zones needed to properly delegate IPv4 and IPv6 CIDR blocks with practical examples.

What are Reverse Zones?

Reverse DNS zones map IP addresses back to domain names using special domains (.in-addr.arpa for IPv4, .ip6.arpa for IPv6). When you're delegated a CIDR block, you need to create the corresponding reverse zones for proper DNS operation. Reverse zones are essential for mail servers, logging, security tools, and network troubleshooting.

How Reverse Delegation Works

Your ISP or RIR delegates reverse DNS authority for your IP blocks to your DNS servers. You then create the reverse zones and populate them with PTR records that map IP addresses to hostnames. The delegation happens at specific boundaries that align with IP addressing hierarchy.

IPv4 Reverse Zones (in-addr.arpa)

Classful Boundaries (Octet-Aligned)

CIDR	Example	Reverse Zone	Description	Delegation
`/8`	`10.0.0.0/8`	`10.in-addr.arpa`	Entire Class A network	Usually handled by RIRs, not end users
`/16`	`172.16.0.0/16`	`16.172.in-addr.arpa`	Class B network	Large organizations or ISPs
`/24`	`192.168.1.0/24`	`1.168.192.in-addr.arpa`	Class C network - most common delegation	Standard small business / organization

Classless Delegation (CNAME Method)

/25 - 203.0.113.0/25

Addresses: 128 addresses

Problem: Doesn't align with octet boundaries

Solution: Use CNAME delegation with bit notation

Zone Names:

0-25.113.0.203.in-addr.arpa1-25.113.0.203.in-addr.arpa

/26 - 203.0.113.64/26

Addresses: 64 addresses

Problem: Quarter of /24, doesn't align with octets

Solution: CNAME delegation for 64-127 range

Zone Names:

64-26.113.0.203.in-addr.arpa

/27 - 203.0.113.128/27

Addresses: 32 addresses

Problem: Eighth of /24, complex delegation

Solution: CNAME delegation with range notation

Zone Names:

128-27.113.0.203.in-addr.arpa

Practical IPv4 Examples

Small Business with /24

Network: 192.0.2.0/24

Reverse Zone: 2.0.192.in-addr.arpa

PTR Records:

1.2.0.192.in-addr.arpa. IN PTR mail.example.com.10.2.0.192.in-addr.arpa. IN PTR web.example.com.50.2.0.192.in-addr.arpa. IN PTR server1.example.com.

Delegation: ISP delegates entire /24 reverse zone to customer DNS

Medium Business with /23

Network: 198.51.100.0/23

Reverse Zone:

Reverse Zones:

100.51.198.in-addr.arpa101.51.198.in-addr.arpa

Description: Two /24 reverse zones needed

Delegation: ISP delegates both zones or uses automation

IPv6 Reverse Zones (ip6.arpa)

Nibble Boundaries (4-bit Aligned)

CIDR	Example	Reverse Zone	Description	Delegation
`/32`	`2001:db8::/32`	`8.b.d.0.1.0.0.2.ip6.arpa`	Typical RIR allocation to ISP	RIR delegates to ISP
`/48`	`2001:db8:1234::/48`	`4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa`	Typical site allocation	ISP delegates to organization
`/56`	`2001:db8:1234:ab00::/56`	`0.0.b.a.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa`	Large home or small business	Common residential allocation
`/64`	`2001:db8:1234:5678::/64`	`8.7.6.5.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa`	Single subnet	Individual subnet reverse zone

Practical IPv6 Examples

Enterprise with /48

Network: 2001:db8:1234::/48

Master Zone: 4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa

Sub-zones:

0.0.0.0.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa (/64)1.0.0.0.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa (/64)a.b.c.d.4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa (/64)

Management: Create master zone, delegate individual /64s as needed

Creating Reverse Zones

IPv4 Example (192.0.2.0/24)

Zone Name: 2.0.192.in-addr.arpa

Zone File:

$TTL 86400
2.0.192.in-addr.arpa.    IN    SOA    ns1.example.com. hostmaster.example.com. (
                                2024010101  ; serial
                                3600        ; refresh
                                1800        ; retry
                                1209600     ; expire
                                86400 )     ; minimum

                         IN    NS     ns1.example.com.
                         IN    NS     ns2.example.com.

1                        IN    PTR    mail.example.com.
10                       IN    PTR    web.example.com.
50                       IN    PTR    server1.example.com.
100                      IN    PTR    workstation.example.com.

Explanation:

Zone name is network reversed + in-addr.arpa
SOA record defines zone authority and parameters
NS records point to authoritative name servers
PTR records map IP to hostname (just last octet for /24)

IPv6 Example (2001:db8:1234::/48)

Zone Name: 4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa

Zone File:

$TTL 86400
4.3.2.1.8.b.d.0.1.0.0.2.ip6.arpa. IN SOA ns1.example.com. hostmaster.example.com. (
                                2024010101  ; serial
                                3600        ; refresh
                                1800        ; retry
                                1209600     ; expire
                                86400 )     ; minimum

                         IN    NS     ns1.example.com.
                         IN    NS     ns2.example.com.

; Delegate /64 subnets
0.0.0.0                  IN    NS     ns1.example.com.
0.0.0.0                  IN    NS     ns2.example.com.

1.0.0.0                  IN    NS     ns1.example.com.
1.0.0.0                  IN    NS     ns2.example.com.

Explanation:

Zone name is full prefix in nibble format + ip6.arpa
Each hex digit becomes separate label in reverse
Can delegate individual /64 subnets within /48
Much longer zone names than IPv4

Delegation Scenarios

ISP to Customer (/24)

Delegation: ISP adds NS records for customer's DNS servers in their reverse zone

Customer Actions:

Set up DNS servers with reverse zone
Create PTR records for important hosts
Test reverse lookups work correctly

ISP Actions:

Add NS delegation in parent zone
Update WHOIS records if required
Verify customer DNS servers are working

Organization Internal (/16 split)

Delegation: Large organization splits /16 into /24s for different departments

Process:

Create master zone for entire /16
Delegate individual /24s to department DNS servers
Each department manages their own PTR records

Troubleshooting

Reverse lookups not working

Possible Causes: Zone not delegated, DNS server not responding, PTR records missing

Diagnosis: Use dig -x [ip] to test reverse resolution

Solution: Check delegation, verify DNS server config, add PTR records

Mail servers rejecting email

Possible Causes: Missing PTR record for mail server IP, PTR doesn't match HELO name

Diagnosis: Check mail server logs, test PTR record

Solution: Create PTR record that matches mail server hostname

IPv6 reverse lookups failing

Possible Causes: Complex nibble format errors, Zone delegation issues

Diagnosis: Verify zone name format, test with dig -x

Solution: Double-check nibble format, verify IPv6 DNS configuration

Best Practices

Always create reverse zones for your allocated IP blocks
Ensure PTR records match forward DNS (A/AAAA records)
Use consistent naming conventions for reverse records
Monitor reverse DNS resolution for important services
Automate PTR record creation/updates where possible
Test reverse lookups from multiple external locations
Keep reverse zone serial numbers updated when making changes

Quick Reference

Zone Name Formulas

IPv4 /24: [third].[second].[first].in-addr.arpa

IPv4 /16: [second].[first].in-addr.arpa

IPv6 /48: [nibbles-reversed].ip6.arpa

IPv6 /64: [more-nibbles-reversed].ip6.arpa

Essential Records

SOA record (required for all zones)

NS records (delegation to authoritative servers)

PTR records (actual IP to name mappings)

Match PTR with forward A/AAAA records

Key Rule

IPv4 reverse zones reverse the octets (192.0.2.0/24 → 2.0.192.in-addr.arpa). IPv6 reverse zones reverse the
          nibbles (2001:db8::/32 → 8.b.d.0.1.0.0.2.ip6.arpa).

Testing Tools

dig -x [ip]

Test reverse DNS lookup

nslookup [ip]

Basic reverse lookup test

host [ip]

Simple reverse resolution check

online reverse DNS tools

Test from external perspective