D. J. Bernstein
Internet publication
DNScache
Frequently asked questions

Reverse DNS wall


What is a reverse DNS wall?

Answer: Some silly FTP servers drop connections from IP addresses that don't have host names. They look up the PTR record for each incoming IP address. A few servers also look up the A records for the PTR record, and check those records against the original address.

Many sites, on the other hand, do not want to reveal their host names, or even how many hosts they have. They keep their hosts behind a firewall that prevents incoming connections. They still make outgoing connections, including connections to the silly servers mentioned above.

These sites provide fake host names through a reverse DNS wall, such as walldns. What walldns does is provide a PTR record for every IP address (within the zones delegated to it) and a matching A record for the PTR record.


How do I configure a reverse DNS wall? I'm in charge of the 1.2.4 network. I'd like to run walldns on IP address 1.2.4.5 to handle all 1.2.4.* IP addresses.

Answer: This answer assumes that your boot scripts are already running svscan in a /service directory. walldns relies on svscan to start it and to restart it at boot time.

You will have to make three decisions:

Create the service directory by running the walldns-conf program, with your IP address at the end of the line:
     walldns-conf walldns dnslog /etc/walldns 1.2.4.5
Tell svscan about the new service:
     ln -s /etc/walldns /service
svscan will start the service within one minute.

Tell the administrator of 2.1.in-addr.arpa to delegate 4.2.1.in-addr.arpa to the server 5.4.2.1.in-addr.arpa running on IP address 1.2.4.5.