反向 DNS 和 Azure 支持概述Overview of reverse DNS and support in Azure

本文概述了反向 DNS 的工作原理以及 Azure 中支持的反向 DNS 方案。This article gives an overview of how reverse DNS works, and the reverse DNS scenarios supported in Azure.

什么是反向 DNS?What is reverse DNS?

传统的 DNS 记录可将 DNS 名称(例如“www.contoso.com”)映射为 IP 地址(例如 64.4.6.100)。Conventional DNS records enable a mapping from a DNS name (such as 'www.contoso.com') to an IP address (such as 64.4.6.100). 反向 DNS 可将 IP 地址 (64.4.6.100) 转换回名称 (www.contoso.com)。Reverse DNS enables the translation of an IP address (64.4.6.100) back to a name ('www.contoso.com').

反向 DNS 记录可在多种场合下使用。Reverse DNS records are used in a variety of situations. 例如,反向 DNS 记录可以验证电子邮件的发件人,因此广泛用于防御垃圾电子邮件。For example, reverse DNS records are widely used in combating e-mail spam by verifying the sender of an e-mail message. 接收邮件服务器会检索发送服务器 IP 地址的反向 DNS 记录,验证该主机是否有权从来源域发送电子邮件。The receiving mail server retrieves the reverse DNS record of the sending server's IP address, and verifies if that host is authorized to send e-mail from the originating domain.

反向 DNS 的工作原理How reverse DNS works

反向 DNS 记录托管在名为“ARPA”区域的特殊 DNS 区域中。Reverse DNS records are hosted in special DNS zones, known as 'ARPA' zones. 这些区域构成了一个独立的 DNS 层次结构,这种结构与托管类似于“contoso.com”的域的正常层次结构是并列关系。These zones form a separate DNS hierarchy in parallel with the normal hierarchy hosting domains such as 'contoso.com'.

例如,DNS 记录“www.contoso.com”是使用区域“contoso.com”中名称为“www”的 DNS“A”记录实现的。For example, the DNS record 'www.contoso.com' is implemented using a DNS 'A' record with the name 'www' in the zone 'contoso.com'. 此 A 记录指向相应的 IP 地址,在本例中为 64.4.6.100。This A record points to the corresponding IP address, in this case 64.4.6.100. 反向查找是单独使用区域“6.4.64.in-addr.arpa”(请注意 ARPA 区域中的 IP 地址是反向的)中名为“100”的“PTR”记录实现的。如果配置正确,此 PTR 记录将指向名称“www.contoso.com”。The reverse lookup is implemented separately, using a 'PTR' record named '100' in the zone '6.4.64.in-addr.arpa' (note that IP addresses are reversed in ARPA zones.) This PTR record, if it has been configured correctly, points to the name 'www.contoso.com'.

如果组织被分配了 IP 地址块,则还有权管理相应的 ARPA 区域。When an organization is assigned an IP address block, they also acquire the right to manage the corresponding ARPA zone. 与 Azure 使用的 IP 地址块对应的 ARPA 区域由 Azure 托管和管理。The ARPA zones corresponding to the IP address blocks used by Azure are hosted and managed by Azure. ISP 可以代你托管自己的 IP 地址的 ARPA 区域,或者允许在所选的 DNS 服务(例如 Azure DNS)中托管 ARPA 区域。Your ISP may host the ARPA zone for your own IP addresses for you, or may allow you to host the ARPA zone in a DNS service of your choice, such as Azure DNS.

备注

正向 DNS 查找和反向 DNS 查找是在独立的并行 DNS 层次结构中实现的。Forward DNS lookups and reverse DNS lookups are implemented in separate, parallel DNS hierarchies. “www.contoso.com”的反向查找不是托管在区域“contoso.com”中,而是托管在相应 IP 地址块的 ARPA 区域中。The reverse lookup for 'www.contoso.com' is not hosted in the zone 'contoso.com', rather it is hosted in the ARPA zone for the corresponding IP address block. 独立区域用于 IPv4 和 IPv6 地址块。Separate zones are used for IPv4 and IPv6 address blocks.

IPv4IPv4

IPv4 反向查找区域的名称应采用以下格式:<IPv4 network prefix in reverse order>.in-addr.arpaThe name of an IPv4 reverse lookup zone should be in the following format: <IPv4 network prefix in reverse order>.in-addr.arpa.

例如,为 IP 前缀为 192.0.2.0/24 的主机创建反向区域以托管其记录时,将创建一个区域名称,方法是隔离地址的网络前缀 (192.0.2),然后反转其顺序 (2.0.192) 并添加后缀 .in-addr.arpaFor example, when creating a reverse zone to host records for hosts with IPs that are in the 192.0.2.0/24 prefix, the zone name would be created by isolating the network prefix of the address (192.0.2) and then reversing the order (2.0.192) and adding the suffix .in-addr.arpa.

子网类Subnet class 网络前缀Network prefix 反转的网络前缀Reversed network prefix 标准后缀Standard suffix 反向区域名称Reverse zone name
类 AClass A 203.0.0.0/8203.0.0.0/8 203203 .in-addr.arpa.in-addr.arpa 203.in-addr.arpa
类 BClass B 198.51.0.0/16198.51.0.0/16 51.19851.198 .in-addr.arpa.in-addr.arpa 51.198.in-addr.arpa
类 CClass C 192.0.2.0/24192.0.2.0/24 2.0.1922.0.192 .in-addr.arpa.in-addr.arpa 2.0.192.in-addr.arpa

无类别 IPv4 委托Classless IPv4 delegation

在某些情况下,分配给组织的 IP 范围小于类 C (/24) 范围。In some cases, the IP range allocated to an organization is smaller than a Class C (/24) range. 在这种情况下,IP 范围并不在 .in-addr.arpa 区域层次结构中的区域边界内,因此可作为子区域委托。In this case, the IP range does not fall on a zone boundary within the .in-addr.arpa zone hierarchy, and hence cannot be delegated as a child zone.

相反,需使用不同的机制将对单个反向查找 (PTR) 记录的控制转移到专用 DNS 区域。Instead, a different mechanism is used to transfer control of individual reverse lookup (PTR) records to a dedicated DNS zone. 此机制为每个 IP 范围委托子区域,然后使用 CNAME 记录将范围内的每个 IP 地址单独映射到该子区域。This mechanism delegates a child zone for each IP range, then maps each IP address in the range individually to that child zone using CNAME records.

例如,假设组织的 ISP 授予该组织 IP 范围 192.0.2.128/26。For example, suppose an organization is granted the IP range 192.0.2.128/26 by its ISP. 这表示从 192.0.2.128 到 192.0.2.191 的 64 个 IP 地址。This represents 64 IP addresses, from 192.0.2.128 to 192.0.2.191. 此范围的反向 DNS 实现方式如下所示:Reverse DNS for this range is implemented as follows:

  • 组织创建一个名为 128-26.2.0.192.in-addr.arpa 的反向查找区域。The organization creates a reverse lookup zone called 128-26.2.0.192.in-addr.arpa. 前缀“128-26”表示在类 C (/24) 范围内分配给组织的网络段。The prefix '128-26' represents the network segment assigned to the organization within the Class C (/24) range.
  • ISP 创建 NS 记录,以便从类 C 父区域设置上述区域的 DNS 委托。The ISP creates NS records to set up the DNS delegation for the above zone from the Class C parent zone. 它还在父(类 C)反向查找区域中创建 CNAME 记录,将 IP 范围中的每个 IP 地址映射到组织所创建的新区域:It also creates CNAME records in the parent (Class C) reverse lookup zone, mapping each IP address in the IP range to the new zone created by the organization:
$ORIGIN 2.0.192.in-addr.arpa
; Delegate child zone
128-26    NS       <name server 1 for 128-26.2.0.192.in-addr.arpa>
128-26    NS       <name server 2 for 128-26.2.0.192.in-addr.arpa>
; CNAME records for each IP address
129       CNAME    129.128-26.2.0.192.in-addr.arpa
130       CNAME    130.128-26.2.0.192.in-addr.arpa
131       CNAME    131.128-26.2.0.192.in-addr.arpa
; etc
  • 然后组织在 PTR 记录的子区域内管理各个记录。The organization then manages the individual PTR records within their child zone.
$ORIGIN 128-26.2.0.192.in-addr.arpa
; PTR records for each UIP address. Names match CNAME targets in parent zone
129      PTR    www.contoso.com
130      PTR    mail.contoso.com
131      PTR    partners.contoso.com
; etc

IP 地址“192.0.2.129”的反向查找查询名为“129.2.0.192.in-addr.arpa”的 PTR 记录。A reverse lookup for the IP address '192.0.2.129' queries for a PTR record named '129.2.0.192.in-addr.arpa'. 此查询通过父区域中的 CNAME 解析为子区域中的 PTR 记录。This query resolves via the CNAME in the parent zone to the PTR record in the child zone.

IPv6IPv6

IPv6 反向查找区域的名称应采用以下格式:<IPv6 network prefix in reverse order>.ip6.arpaThe name of an IPv6 reverse lookup zone should be in the following form: <IPv6 network prefix in reverse order>.ip6.arpa

例如,For example,. 为 IP 前缀为 2001:db8:1000:abdc::/64 的主机创建反向区域以托管其记录时,将通过隔离该地址的网络前缀 (2001:db8:abdc::) 来创建区域名称。When creating a reverse zone to host records for hosts with IPs that are in the 2001:db8:1000:abdc::/64 prefix, the zone name would be created by isolating the network prefix of the address (2001:db8:abdc::). 接下来,如果使用了零压缩缩短 IPv6 地址前缀 (2001:0db8:abdc:0000::),则展开 IPv6 网络前缀将其删除。Next expand the IPv6 network prefix to remove zero compression, if it was used to shorten the IPv6 address prefix (2001:0db8:abdc:0000::). 反转顺序并使用句点作为前缀中每个十六进制数之间的分隔符,构建反向网络前缀 (0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2),然后添加后缀 .ip6.arpaReverse the order, using a period as the delimiter between each hexadecimal number in the prefix, to build the reversed network prefix (0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2) and add the suffix .ip6.arpa.

网络前缀Network prefix 展开的反向网络前缀Expanded and reversed network prefix 标准后缀Standard suffix 反向区域名称Reverse zone name
2001:db8:abdc::/642001:db8:abdc::/64 0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.20.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2 .ip6.arpa.ip6.arpa 0.0.0.0.c.d.b.a.8.b.d.0.1.0.0.2.ip6.arpa
2001:db8:1000:9102::/642001:db8:1000:9102::/64 2.0.1.9.0.0.0.1.8.b.d.0.1.0.0.22.0.1.9.0.0.0.1.8.b.d.0.1.0.0.2 .ip6.arpa.ip6.arpa 2.0.1.9.0.0.0.1.8.b.d.0.1.0.0.2.ip6.arpa

Azure 对反向 DNS 的支持Azure support for reverse DNS

在反向 DNS 方面,Azure 支持两种不同的方案:Azure supports two separate scenarios relating to reverse DNS:

托管对应于 IP 地址块的反向查找区域。 Hosting the reverse lookup zone corresponding to your IP address block. 对于 IPv4 和 IPv6,都可使用 Azure DNS 托管反向查找区域和管理每个反向 DNS 查找的 PTR 记录Azure DNS can be used to host your reverse lookup zones and manage the PTR records for each reverse DNS lookup, for both IPv4 and IPv6. 创建反向查找 (ARPA) 区域、设置委托和配置 PTR 记录的过程与常规 DNS 区域相同。The process of creating the reverse lookup (ARPA) zone, setting up the delegation, and configuring PTR records is the same as for regular DNS zones. 唯一的差别在于,必须通过 ISP 而不是 DNS 注册机构配置委托,并且只能 PTR 记录类型。The only differences are that the delegation must be configured via your ISP rather than your DNS registrar, and only the PTR record type should be used.

为分配给 Azure 服务的 IP 地址配置反向 DNS 记录。 Configure the reverse DNS record for the IP address assigned to your Azure service. 可使用 Azure 为分配给 Azure 服务的 IP 地址配置反向查找Azure enables you to configure the reverse lookup for the IP addresses allocated to your Azure service. Azure 将这种反向查找配置为相应 ARPA 区域中的 PTR 记录。This reverse lookup is configured by Azure as a PTR record in the corresponding ARPA zone. 这些对应于 Azure 使用的所有 IP 范围的 ARPA 区域由 Microsoft 托管These ARPA zones, corresponding to all the IP ranges used by Azure, are hosted by Microsoft

后续步骤Next steps

有关反向 DNS 的详细信息,请参阅反向 DNS 查找For more information on reverse DNS, see reverse DNS lookup on Wikipedia.
了解如何在 Azure DNS 中为 ISP 分配的 IP 范围托管反向查找区域Learn how to host the reverse lookup zone for your ISP-assigned IP range in Azure DNS.
了解如何管理 Azure 服务的反向 DNS 记录Learn how to manage reverse DNS records for your Azure services.