Reverse zone
The Reverse zone checker inspects the PTR records of a reverse DNS zone (in-addr.arpa or ip6.arpa) and validates that they are well formed and consistent with forward DNS. It verifies Forward-Confirmed Reverse DNS (FCrDNS), that targets resolve and are syntactically valid host names, flags generic or auto-generated names and short TTLs, and catches multiple-PTR-per-IP violations (RFC 1912 §2.1). Correct reverse DNS matters in practice: mail servers and SSH endpoints routinely reject or downgrade connections from IPs without proper FCrDNS.
This checker is zone-level: it operates on the full content of a reverse zone (it applies to the domain and reads the whole zone).
What it checks
| Finding code | What it verifies | Severity |
|---|---|---|
reverse_zone.is_reverse_arpa |
The zone is under in-addr.arpa or ip6.arpa. |
Critical |
reverse_zone.has_ptrs |
The reverse zone declares at least one PTR record. |
Warning |
reverse_zone.fcrdns |
Every PTR target’s A/AAAA round-trips back to the original IP (Forward-Confirmed Reverse DNS). |
Critical |
reverse_zone.target_resolves |
Every PTR target resolves to at least one A or AAAA record. |
Critical |
reverse_zone.single_ptr_per_ip |
Flags IPs with multiple PTR records (RFC 1912 §2.1 recommends exactly one). |
Warning |
reverse_zone.target_syntax |
Every PTR target is a syntactically valid host name. |
Critical |
reverse_zone.generic_hostname |
Flags PTR targets that embed the IP or match common ISP auto-generated patterns. |
Warning |
reverse_zone.ttl_hygiene |
Flags PTR records whose TTL is below the configured minimum. |
Warning |
reverse_zone.truncated |
Reports when the zone has more PTRs than the configured cap allows to inspect. |
Info |
Options
| Option | Meaning | Default |
|---|---|---|
requireForwardMatch |
When enabled, a PTR whose target does not resolve back to the original IP is critical (otherwise warning). Mail and SSH servers require FCrDNS. |
true |
allowMultiplePTR |
When disabled, more than one PTR at the same owner is reported as warning (RFC 1912 §2.1 recommends a single PTR per IP). |
false |
minTTL |
PTR records with a TTL below this threshold (in seconds) are flagged as warning. |
300 |
flagGenericPTR |
When enabled, PTR targets that embed the dotted IP or match common ISP auto-generated patterns are flagged as warning. |
true |
maxPTRsToCheck |
Caps the number of PTR records inspected per run, protecting the checker against very large reverse zones. |
1024 |
Forward-Confirmed Reverse DNS
FCrDNS means the PTR target, looked up forward, resolves back to the original IP address. A PTR that points to a host whose A/AAAA does not include that IP fails the round-trip and is treated as a misconfiguration by many mail and SSH servers.
In happyDomain
Enable the Reverse zone checker on a reverse (in-addr.arpa / ip6.arpa) domain from its Checks view. See /en/pages/checks/ for the full workflow.