Glossary
What Is Reverse DNS / PTR?
Reverse DNS (rDNS) is the lookup that goes the other way: given an IP address, return the hostname assigned to it. The mapping is published as PTR records under the special .in-addr.arpa (IPv4) and .ip6.arpa (IPv6) zones, and is controlled by whoever owns the IP block — the network operator, not the domain owner.
How rDNS Differs from Forward DNS
Forward DNS lets the domain owner say what their hostname resolves to. Reverse DNS lets the IP-block owner say what their IPs are called. The two are independent — there is no requirement that they agree. A domain owner cannot create a PTR record for an IP they don't operate, and that's by design.
Why rDNS Patterns Matter
Operators name their IPs systematically. Cloud providers use generated patterns (ec2-1-2-3-4.compute-1.amazonaws.com); ISPs name residential IPs after the geographic POP; servers often have descriptive hostnames (mail-out-1.example.com). The patterns reveal:
- Provider type — cloud, ISP, residential, datacenter — at a glance.
- Geography — many residential rDNS strings encode city or POP.
- Function — mail relays, NAT gateways, customer routers often self-identify.
- Legitimacy of mail senders — most reputable mail systems have aligned forward and reverse DNS.
- Botnet IPs — residential rDNS strings on machines sending spam are a classic signal.
Common rDNS Pitfalls
- Many IPs have no PTR at all — the absence is itself a signal in some contexts.
- PTR records can lag actual IP reassignments by days or weeks.
- Spoofed-looking PTR strings are not authoritative — rDNS is a hint, not proof.
rDNS in Whisper
Whisper stores rDNS as part of the IP node and indexes it for substring search. Analysts can ask "show me IPs in this prefix whose PTR matches *mail*" or "find IPs in this ASN with no PTR record at all" — useful for rapid hosting-provider profiling and mail infrastructure auditing.