A PTR (Pointer) record is a DNS record type that maps an IP address to a hostname, functioning as the reverse of an A record. Where an A record answers the question "what IP address does this hostname resolve to?", a PTR record answers "what hostname is associated with this IP address?" PTR records are used in reverse DNS lookups, which take an IP address as input and return the associated hostname. This hostname-to-IP mapping is important in multiple operational and security contexts, from email server identity verification to network log readability and security incident investigation.
PTR records are not optional decorative entries — they are operationally required for running a legitimate mail server, and their presence (or absence) in logs significantly affects the usefulness of security data. Unlike A records, which are authoritative for the domain that owns the hostname, PTR records are authoritative for the organization that owns the IP address block. This means that PTR records are not managed through your domain registrar or DNS hosting provider but through your IP address provider — your internet service provider, hosting company, or cloud provider.
- PTR records answer "what hostname belongs to this IP address?" — the reverse of an A record lookup
- PTR records are stored in special reverse DNS zones maintained by IP address block owners
- PTR records are controlled by the IP address owner, not by the domain registrar
- Absence of a PTR record is a significant deliverability problem for mail server operators
- PTR records are also called reverse DNS records or rDNS records in common usage
IPv4 reverse DNS uses a special zone suffix called .in-addr.arpa. To look up the PTR record for the IPv4 address 192.0.2.10, the octets of the address are reversed and the .in-addr.arpa suffix is appended, producing the lookup name 10.2.0.192.in-addr.arpa. A DNS query for the PTR record at this name returns the associated hostname if a PTR record has been configured. The octet reversal ensures that DNS delegation follows the natural hierarchy of IP address blocks: the .in-addr.arpa zone is delegated to IANA, which sub-delegates to regional internet registries (ARIN, RIPE, APNIC, etc.), which in turn sub-delegate to ISPs, which may further sub-delegate to their customers.
IPv6 reverse DNS uses the same principle but operates at the nibble (4-bit) level, reversing all 32 hexadecimal digits of the full expanded IPv6 address and appending the .ip6.arpa suffix. For example, the reverse DNS lookup name for the IPv6 address 2001:db8::1 (fully expanded: 2001:0db8:0000:0000:0000:0000:0000:0001) would be 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IPv6 reverse DNS configuration follows the same delegation hierarchy but is significantly more complex due to the 128-bit address space.
- IPv4 reverse DNS: reverse octets, append
.in-addr.arpa— e.g., 192.0.2.10 becomes10.2.0.192.in-addr.arpa - IPv6 reverse DNS: reverse all nibbles, append
.ip6.arpa— requires the full 32-nibble expansion - Delegation hierarchy: IANA → Regional Internet Registries → ISPs → customers (for assigned blocks)
- ISPs maintain reverse DNS zones for IP ranges they own and delegate sub-zones to customers
- Query PTR records with:
dig -x 192.0.2.10(the-xflag performs automatic reverse DNS formatting)
Forward-Confirmed Reverse DNS (FCrDNS), also called Forward-Confirmed rDNS or double-reverse DNS lookup, is the practice of verifying that a PTR record's hostname itself resolves back to the original IP address via a forward A record lookup. The process is: look up the PTR record for the IP address to get a hostname, then look up the A record for that hostname to get an IP address, and verify that the resulting IP matches the original IP address. Only when both lookups agree is the rDNS considered forward-confirmed.
FCrDNS serves as a basic anti-spoofing mechanism because it requires control of both the IP address (to set the PTR record) and the domain name (to set the matching A record). A spammer who rents a cloud instance can set a PTR record to any hostname value that their hosting provider allows — including mail.legitimatebank.com — but they cannot set an A record for mail.legitimatebank.com without controlling that domain's DNS. FCrDNS validation catches this discrepancy. Most enterprise mail gateways perform FCrDNS checks on connecting mail servers, and a failure is a strong signal of a suspicious or misconfigured sender.
- FCrDNS process: PTR lookup yields hostname → A lookup on hostname → verify IP matches original
- FCrDNS requires control of both the IP block (for PTR) and the domain name (for the A record)
- Failed FCrDNS is a major spam signal for enterprise and ISP mail gateways
- Verify FCrDNS with:
dig -x [IP]thendig A [returned hostname]and compare results - All production mail servers must have FCrDNS configured — it is a fundamental deliverability requirement
Every major email provider — Gmail, Outlook/Hotmail, Yahoo Mail, Apple iCloud Mail — checks the PTR record of the connecting mail server's IP address as a fundamental authentication step during SMTP connection. If the connecting IP address has no PTR record at all, most major providers will refuse the connection with a 550 error or silently discard the message. A PTR record that exists but does not forward-confirm — meaning the hostname in the PTR record does not resolve back to the sending IP — is treated equivalently to no PTR record by strict mail gateways.
The content of the PTR record also matters beyond mere existence. Generic PTR records like static.203.0.113.25.isp.net that follow patterns typical of dynamically assigned residential or shared hosting IP addresses are recognized as suspicious by spam filtering systems, which associate such patterns with botnet-infected consumer devices sending spam. Your mail server's PTR record should contain a meaningful, fully qualified domain name — ideally the same hostname used in the SMTP HELO or EHLO greeting — that clearly identifies it as a legitimate mail server. The HELO hostname, PTR hostname, and forward A record should all be consistent and mutually resolving.
- Gmail, Outlook, Yahoo, and Apple all check PTR records on every connecting mail server
- Missing PTR record: typically results in 550 rejection or silent discard at major providers
- Generic PTR patterns (ISP auto-assigned): often treated as suspicious by spam filters
- HELO/EHLO hostname should match the PTR hostname for consistency and deliverability
- Test your PTR and HELO consistency with MXToolbox Email Health Check tool
PTR records are controlled by the owner of the IP address block, not by the holder of the domain name that the PTR record points to. For most organizations using cloud providers or hosting companies, the hosting provider owns the IP addresses and therefore controls the reverse DNS zone. Configuring a PTR record requires requesting the change from your hosting provider or cloud platform through their management console or support process. AWS Route 53 allows PTR record configuration for Elastic IP addresses directly through the EC2 console. Google Cloud Platform, Azure, and most major hosting providers provide either a UI setting or a support request process for setting custom PTR records.
The correct procedure for configuring a PTR record is to first set up the forward A record for your mail server's hostname to point to the server's IP address, and verify it resolves correctly. Only after the A record is in place and propagated should you request the PTR record update from your hosting provider, specifying both the IP address and the desired hostname. The hosting provider will create the PTR record pointing to that hostname. After the PTR record propagates, verify FCrDNS using dig -x [IP] followed by a forward lookup of the returned hostname, confirming that the round-trip confirms the original IP address.
- PTR records are controlled by the IP address owner — your hosting provider, not your DNS registrar
- AWS: configure PTR for Elastic IPs in the EC2 console under Elastic IP Address settings
- Most cloud and hosting providers: submit a support request specifying the IP and desired PTR hostname
- Always configure the forward A record first and verify it resolves before requesting the PTR update
- Verify FCrDNS after configuration:
dig -x [IP]then confirm the hostname resolves back to the IP
In security operations, PTR record resolution transforms raw IP addresses in logs and alerts into human-readable hostnames, dramatically improving the speed and accuracy of incident investigation. Firewall logs, intrusion detection system alerts, web server access logs, and authentication logs all record IP addresses. Performing reverse DNS resolution on logged IP addresses while analyzing an incident reveals patterns — repeated connections from cloud provider IP ranges, connections from known hosting infrastructure, or connections from IP ranges associated with specific geographic regions — that would not be apparent from raw IP addresses alone.
Reverse DNS enumeration is also a standard technique in penetration testing and network reconnaissance. By iterating through an IP address range and performing PTR lookups on each address, an attacker or authorized penetration tester can quickly discover all hostnames associated with an organization's IP space, revealing the naming conventions used for infrastructure, identifying services, and finding assets that are not publicly advertised through forward DNS records. This is why internal infrastructure should use non-descriptive hostnames even for internal servers — hostnames like prod-db-01.internal.company.com revealed through rDNS enumeration expose your internal architecture.
- PTR resolution in logs: convert IP addresses to hostnames for faster incident investigation
- SIEM integration: configure log ingestion to automatically enrich IP addresses with rDNS data
- Reverse DNS enumeration: iterate an IP range performing PTR lookups to map an organization's infrastructure
- Penetration testing:
for i in $(seq 1 254); do dig -x 192.0.2.$i +short; done - Security design: use non-descriptive internal hostnames to reduce information exposure via rDNS