反向 DNS 和 Azure 支持概述Overview of reverse DNS and support in Azure

本文概述性介绍了反向 DNS 的工作原理以及 Azure 中支持反向 DNS 的方案。This article provides an overview of how reverse DNS works, and scenarios in which reverse DNS is supported in Azure.

什么是反向 DNS?What is reverse DNS?

常规 DNS 记录将 DNS 名称映射到 IP 地址,例如 www.contoso.com 会解析为 64.4.6.100。Conventional DNS records map a DNS name to an IP address, such as www.contoso.com resolves to 64.4.6.100. 反向 DNS 执行相反的操作,会将 IP 地址转换为名称。A reverse DNS does the opposite by translating an IP address back to a name. 例如,对 64.4.6.100 的查找结果将解析为 www.contoso.comFor example, a lookup of 64.4.6.100 will resolve to www.contoso.com.

许多不同类型的情景中都会用到反向 DNS 记录。Reverse DNS records are used in various situations. 例如,反向 DNS 记录可以验证电子邮件的发件人,因此广泛用于防御垃圾电子邮件。For example, reverse DNS records are widely used in combating e-mail spam by verifying the sender of an e-mail message. 接收邮件的服务器会检索发送服务器的 IP 地址的反向 DNS 记录。The receiving mail server retrieves the reverse DNS record of the sending server's IP address. 然后接收邮件的服务器会验证相关主机是否有权从发起域发送电子邮件。Then the receiving mail server verifies if that host is authorized to send e-mail from the originating domain.

反向 DNS 的工作原理How reverse DNS works

反向 DNS 记录托管在名为“ARPA”区域的特殊 DNS 区域中。Reverse DNS records are hosted in special DNS zones, known as 'ARPA' zones. 这些区域构成了一个独立的 DNS 层次结构,这种结构与托管类似于 contoso.com 的域的正常层次结构是并列关系。These zones form a separate DNS hierarchy in parallel with the normal hierarchy hosting domains such as contoso.com.

例如,DNS 记录 www.contoso.com 是使用区域 contoso.com 中名称为“www”的 DNS“A”记录实现的。For example, the DNS record www.contoso.com is implemented using a DNS 'A' record with the name 'www' in the zone contoso.com. 此 A 记录指向相应的 IP 地址,在本例中为 64.4.6.100。This A record points to the corresponding IP address, in this case 64.4.6.100. 反向查找是通过单独使用区域“6.4.64.in-addr.arpa”中名为“100”的“PTR”记录实现的。The reverse lookup gets implemented separately, using a 'PTR' record named '100' in the zone '6.4.64.in-addr.arpa'. 请注意 ARPA 区域中的 IP 地址是反向的。Notice that IP addresses in ARPA zones are reversed. 此 PTR 记录在配置正确时指向名称 www.contoso.comThis PTR record, when configured correctly will point to the name www.contoso.com.

如果组织被分配了 IP 地址块,则还有权管理相应的 ARPA 区域。When an organization is assigned an IP address block, they also acquire the right to manage the corresponding ARPA zone. 与 Azure 使用的 IP 地址块对应的 ARPA 区域由 Azure 托管和管理。The ARPA zones corresponding to the IP address blocks used by Azure are hosted and managed by Azure. ISP 可能会为你拥有的 IP 地址托管 ARPA 区域。Your ISP may host the ARPA zone for you for the IP addresses you owned. 它们还允许你在所选的 DNS 服务(如 Azure DNS)中托管 ARPA 区域。They may also allow you to host the ARPA zone in a DNS service of your choice, such as Azure DNS.

备注

正向 DNS 查找和反向 DNS 查找是在独立的并行 DNS 层次结构中实现的。Forward DNS lookups and reverse DNS lookups are implemented in separate, parallel DNS hierarchies. “www.contoso.com”的反向查找 不是 托管在区域“contoso.com”中,而是托管在相应 IP 地址块的 ARPA 区域中。The reverse lookup for 'www.contoso.com' is not hosted in the zone 'contoso.com', rather it is hosted in the ARPA zone for the corresponding IP address block. 独立区域用于 IPv4 和 IPv6 地址块。Separate zones are used for IPv4 and IPv6 address blocks.

IPv4IPv4

IPv4 反向查找区域的名称应采用以下格式:<IPv4 network prefix in reverse order>.in-addr.arpaThe name of an IPv4 reverse lookup zone should be in the following format: <IPv4 network prefix in reverse order>.in-addr.arpa.

例如,为 IP 前缀为 192.0.2.0/24 的主机创建反向区域以托管其记录时,将创建一个区域名称,方法是隔离地址的网络前缀 (192.0.2),然后反转其顺序 (2.0.192) 并添加后缀 .in-addr.arpaFor example, when creating a reverse zone to host records for hosts with IPs that are in the 192.0.2.0/24 prefix, the zone name would be created by isolating the network prefix of the address (192.0.2) and then reversing the order (2.0.192) and adding the suffix .in-addr.arpa.

子网类Subnet class 网络前缀Network prefix 反转的网络前缀Reversed network prefix 标准后缀Standard suffix 反向区域名称Reverse zone name
类 AClass A 203.0.0.0/8203.0.0.0/8 203203 .in-addr.arpa.in-addr.arpa 203.in-addr.arpa
类 BClass B 198.51.0.0/16198.51.0.0/16 51.19851.198 .in-addr.arpa.in-addr.arpa 51.198.in-addr.arpa
类 CClass C 192.0.2.0/24192.0.2.0/24 2.0.1922.0.192 .in-addr.arpa.in-addr.arpa 2.0.192.in-addr.arpa

无类别 IPv4 委托Classless IPv4 delegation

在某些情况下,提供给组织的 IP 范围小于 C 类 (/24) 范围。In some cases, the IP range given to an organization is smaller than a Class C (/24) range. 在这种情况下,IP 范围并不在 .in-addr.arpa 区域层次结构中的区域边界内,因此不可委托为子区域。In this case, the IP range doesn't fall on a zone boundary within the .in-addr.arpa zone hierarchy, and as such can't be delegated as a child zone.

人们使用了另一种方法将每个反向查找记录传输到专用 DNS 区域。A different method is used to transfer each reverse lookup record to a dedicated DNS zone. 此方法为每个 IP 范围委托一个子区域。This method delegates a child zone for each IP range. 然后使用 CNAME 记录将范围内的每个 IP 地址单独映射到该子区域。Then maps each IP address in the range individually to that child zone using CNAME records.

例如,假设你的 ISP 向你的组织授予 IP 范围 192.0.2.128/26。For example, suppose your organization is granted the IP range 192.0.2.128/26 by your ISP. 此地址块表示 192.0.2.128 到 192.0.2.191 的 64 个 IP 地址。This address block represents 64 IP addresses, from 192.0.2.128 to 192.0.2.191. 此范围的反向 DNS 实现方式如下所示:Reverse DNS for this range is implemented as followed:

  • 组织创建一个名为 128-26.2.0.192.in-addr.arpa 的反向查找区域。Your organization creates a reverse lookup zone called 128-26.2.0.192.in-addr.arpa. 前缀“128-26”表示在类 C (/24) 范围内分配给组织的网络段。The prefix '128-26' represents the network segment assigned to your organization within the Class C (/24) range.

  • ISP 创建 NS 记录,以便从类 C 父区域设置上述区域的 DNS 委托。Your ISP creates NS records to set up the DNS delegation for the above zone from the Class C parent zone. ISP 还在父级(C 类)反向查找区域中创建 CNAME 记录。The ISP also creates CNAME records in the parent (Class C) reverse lookup zone. 然后,它们将 IP 范围中的每个 IP 地址映射到组织创建的新区域:Then they map each IP address in the IP range to the new zone created by your organization:

    $ORIGIN 2.0.192.in-addr.arpa
    ; Delegate child zone
    128-26    NS       <name server 1 for 128-26.2.0.192.in-addr.arpa>
    128-26    NS       <name server 2 for 128-26.2.0.192.in-addr.arpa>
    ; CNAME records for each IP address
    129       CNAME    129.128-26.2.0.192.in-addr.arpa
    130       CNAME    130.128-26.2.0.192.in-addr.arpa
    131       CNAME    131.128-26.2.0.192.in-addr.arpa
    ; etc
    
  • 然后组织在 PTR 记录的子区域内管理各个记录。Your organization then manages the individual PTR records within their child zone.

    $ORIGIN 128-26.2.0.192.in-addr.arpa
    ; PTR records for each UIP address. Names match CNAME targets in parent zone
    129      PTR    www.contoso.com
    130      PTR    mail.contoso.com
    131      PTR    partners.contoso.com
    ; etc
    

IP 地址“192.0.2.129”的反向查找查询名为“129.2.0.192.in-addr.arpa”的 PTR 记录。A reverse lookup for the IP address '192.0.2.129' queries for a PTR record named '129.2.0.192.in-addr.arpa'. 此查询通过父区域中的 CNAME 解析为子区域中的 PTR 记录。This query resolves with the CNAME in the parent zone to the PTR record in the child zone.

IPv6IPv6

IPv6 反向查找区域的名称应采用以下格式:<IPv6 network prefix in reverse order>.ip6.arpaThe name of an IPv6 reverse lookup zone should be in the following form: <IPv6 network prefix in reverse order>.ip6.arpa

例如,当创建一个用于承载某些主机记录的反向区域且这些主机的 IP 带有 2001:db8:1000:abdc::/64 前缀时。For example, when you create a reverse zone to host records for hosts with IPs that are in the 2001:db8:1000:abdc::/64 prefix. 将通过隔离该地址 (2001:db8:abdc::) 的网络前缀来创建区域名称。The zone name would be created by isolating the network prefix of the address (2001:db8:abdc::). 接下来,如果使用了零压缩缩短 IPv6 地址前缀 (2001:0db8:abdc:0000::),则展开 IPv6 网络前缀将其删除。Next expand the IPv6 network prefix to remove zero compression, if it was used to shorten the IPv6 address prefix (2001:0db8:abdc:0000::). 反转顺序并使用句点作为前缀中每个十六进制数之间的分隔符,构建反向网络前缀 (0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2),然后添加后缀 .ip6.arpaReverse the order, using a period as the delimiter between each hexadecimal number in the prefix, to build the reversed network prefix (0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2) and add the suffix .ip6.arpa.

网络前缀Network prefix 展开的反向网络前缀Expanded and reversed network prefix 标准后缀Standard suffix 反向区域名称Reverse zone name
2001:db8:abdc::/642001:db8:abdc::/64 0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.20.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2 .ip6.arpa.ip6.arpa 0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2.ip6.arpa
2001:db8:1000:9102::/642001:db8:1000:9102::/64 2.0.1.9.0.0.0.1.8.b.d.0.1.0.0.22.0.1.9.0.0.0.1.8.b.d.0.1.0.0.2 .ip6.arpa.ip6.arpa 2.0.1.9.0.0.0.1.8.b.d.0.1.0.0.2.ip6.arpa

Azure 对反向 DNS 的支持Azure support for reverse DNS

在反向 DNS 方面,Azure 支持两种不同的方案:Azure supports two separate scenarios relating to reverse DNS:

承载与 IP 地址块对应的反向查找区域 - 可使用 Azure DNS 承载反向查找区域和管理 PTR 记录且同时适用于 IPv4 和 IPv6。Hosting the reverse lookup zone corresponding to your IP address block - Azure DNS can be used to host your reverse lookup zones and manage the PTR records for both IPv4 and IPv6. 创建反向查找 (ARPA) 区域、设置委托和配置 PTR 记录的过程与常规 DNS 区域相同。The process of creating the reverse lookup (ARPA) zone, setting up the delegation, and configuring PTR records is the same as for regular DNS zones. 区别在于必须通过 ISP 而不是 DNS 注册机构来配置委托,并且只能使用 PTR 记录类型。The differences are the delegation must be configured with your ISP rather than your DNS registrar, and only the PTR record type should be used.

为分配给 Azure 服务的 IP 地址配置反向 DNS 记录 - 通过 Azure 可以 为提供给 Azure 服务的 IP 地址配置反向查找Configure the reverse DNS record for the IP address assigned to your Azure service - Azure enables you to configure the reverse lookup for the IP addresses given to your Azure service. Azure 将这种反向查找配置为相应 ARPA 区域中的 PTR 记录。This reverse lookup gets configured by Azure as a PTR record in the corresponding ARPA zone. 这些对应于 Azure 使用的所有 IP 范围的 ARPA 区域由 Microsoft 托管These ARPA zones, corresponding to all the IP ranges used by Azure, are hosted by Microsoft

后续步骤Next steps