Fun with .arpa domains

As you may know, .arpa domains are used for reverse DNS. But did you know that they are usable for forward DNS too?

Let’s start with some preface. Domains with .arpa TLD are reserved for Internet infrastructure use. There are only several 2nd level domains in the .arpa TLD, a list of which can be found on the website of IANA, the organisation mainly responsible for managing IP space. Today I’ll talk about in-addr.arpa and ip6.arpa, but I’m sure the same can be followed for other .arpa domains.

Reverse DNS

in-addr.arpa domains are used for reverse IPv4 DNS. For example, let’s say we want to know the reverse DNS of 192.168.1.1. What we shall do is convert the IP to a “reverse decimal-dotted notation”, which basically means read the IP segments from the right to left and add .in-addr.arpa at the end. Like so: 1.1.168.192.in-addr.arpa
We can now send this as a PTR query to a recursive DNS resolver, and we will get the reverse DNS record for 192.168.1.1.

Okay, so far this is a pretty standard and boring stuff. Let the fun begin!

Putting forward records in the reverse DNS zone

The standard reverse DNS zone file contains something like this:

1.1.168.192.in-addr.arpa. 3600 PTR my.home.router.lan.

This tells the DNS server that for any reverse DNS queries for 192.168.1.1, it shall respond with my.home.router.lan.

But have you ever wondered what would happen if you put a forward record, like an A or AAAA record in the reverse zone?

1.1.168.192.in-addr.arpa. 3600 A     10.0.0.1
1.1.168.192.in-addr.arpa. 3600 AAAA  fd80:37ca:cafe::1

Yes, this is perfectly valid. In fact, opening http://1.1.168.192.in-addr.arpa in the browser would now result in a page being loaded from 10.0.0.1 (or the IPv6 counterpart)!

Does this work in the real world?

The answer is YES, it does. See for yourself: http://broken.f.e.f.f.5.0.9.a.7.0.a.2.ip6.arpa

The reverse DNS zone for my IPv6 prefix 2a07:a905:ffef::/48 is delegated in RIPE’s database to my name servers, which use the setup described above.

 

Some certificate authorities are even happy to issue TLS certificates for .arpa domains. For example, cPanel’s AutoSSL works wonders, while Let’s Encrypt doesn’t like them at all. I even tried to use this kind of domain for sending and receiving email. You can make SPF work as well, and to my surprise, deliverability is quite good.

Leave a Reply...