As you may know, .arpa domains are used for reverse DNS. But did you know that they are usable for forward DNS too?
Let’s start with some preface. Domains with .arpa TLD are reserved for Internet infrastructure use. There are only several 2nd level domains in the .arpa TLD, a list of which can be found on the website of IANA, the organisation mainly responsible for managing IP space. Today I’ll talk about
ip6.arpa, but I’m sure the same can be followed for other
in-addr.arpa domains are used for reverse IPv4 DNS. For example, let’s say we want to know the reverse DNS of
192.168.1.1. What we shall do is convert the IP to a “reverse decimal-dotted notation”, which basically means read the IP segments from the right to left and add
.in-addr.arpa at the end. Like so:
We can now send this as a PTR query to a recursive DNS resolver, and we will get the reverse DNS record for
Okay, so far this is a pretty standard and boring stuff. Let the fun begin!
Putting forward records in the reverse DNS zone
The standard reverse DNS zone file contains something like this:
220.127.116.11.in-addr.arpa. 3600 PTR my.home.router.lan.
This tells the DNS server that for any reverse DNS queries for
192.168.1.1, it shall respond with
But have you ever wondered what would happen if you put a forward record, like an A or AAAA record in the reverse zone?
18.104.22.168.in-addr.arpa. 3600 A 10.0.0.1 22.214.171.124.in-addr.arpa. 3600 AAAA fd80:37ca:cafe::1
Yes, this is perfectly valid. In fact, opening
http://126.96.36.199.in-addr.arpa in the browser would now result in a page being loaded from
10.0.0.1 (or the IPv6 counterpart)!
Does this work in the real world?
The answer is YES, it does. See for yourself: http://broken.f.e.f.f.5.0.9.a.7.0.a.2.ip6.arpa
The reverse DNS zone for my IPv6 prefix
2a07:a905:ffef::/48 is delegated in RIPE’s database to my name servers, which use the setup described above.
Some certificate authorities are even happy to issue TLS certificates for
.arpa domains. For example, cPanel’s AutoSSL works wonders, while Let’s Encrypt doesn’t like them at all. I even tried to use this kind of domain for sending and receiving email. You can make SPF work as well, and to my surprise, deliverability is quite good.