Best Practices for Managing Reverse DNS (PTR) Records During Server Migration: Dual IPs to Single Domain Case


2 views

When migrating web servers while maintaining the same domain, reverse DNS (rDNS) configuration becomes a critical infrastructure consideration. The scenario involves:

Old server: 192.0.2.1 → mydomain.com (PTR)
New server: 203.0.113.45 → (pending PTR setup)
Current A record: mydomain.com → 192.0.2.1

Having multiple IPs resolve to the same domain via PTR records isn't inherently problematic from a DNS protocol perspective. However, certain systems may interpret this configuration in specific ways:

  • Email Servers: Many MTAs perform rDNS checks where multiple IPs resolving to the same domain might trigger spam filters
  • Security Scanners: Some vulnerability assessment tools flag this as a potential "DNS hijacking" indicator
  • Certificate Authorities: LetsEncrypt's HTTP-01 challenge may behave differently with duplicate PTRs

The optimal approach depends on your migration timeline:

# Recommended BIND zone file configuration
; Old server
1.2.0.192.in-addr.arpa. IN PTR old.mydomain.com.

; New server (pre-migration)
45.113.0.203.in-addr.arpa. IN PTR staging.mydomain.com.

; Post-migration (cutover)
45.113.0.203.in-addr.arpa. IN PTR mydomain.com.
1.2.0.192.in-addr.arpa. IN PTR legacy.mydomain.com.

For those using cloud providers, here are platform-specific examples:

AWS Route53 CLI Example

aws route53 change-resource-record-sets \
--hosted-zone-id Z1PA6795UKMFR9 \
--change-batch '{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "45.113.0.203.in-addr.arpa.",
      "Type": "PTR",
      "TTL": 300,
      "ResourceRecords": [{ "Value": "staging.mydomain.com." }]
    }
  }]
}'

When testing your configuration, these commands are essential:

# Verify PTR records
dig +short -x 203.0.113.45
dig +short -x 192.0.2.1

# Check SMTP server reactions
telnet mail.example.com 25
EHLO mydomain.com

Always remember to monitor your mail server logs for any unexpected rejections during the transition period.

When migrating servers or setting up new infrastructure, a common DNS configuration question arises: Is it problematic to have multiple IP addresses resolve to the same domain name via reverse DNS (PTR records)? Let's examine this through both theoretical and operational lenses.

From a pure DNS protocol perspective, having multiple PTR records pointing to the same domain is technically valid. RFCs don't prohibit this configuration. However, operational considerations exist:


# Example BIND zone file snippet for multiple PTR records
$ORIGIN 1.168.192.in-addr.arpa.
1       IN PTR     mydomain.com.
2       IN PTR     mydomain.com.

The most critical impact appears in email systems. Many spam filters check:

  • Forward-confirmed reverse DNS (FCrDNS) consistency
  • SMTP HELO/EHLO matching

When both IPs resolve to the same domain but only one has matching A records, this breaks FCrDNS:


# Current mismatch example (problematic)
Old Server: 192.168.1.1 → PTR → mydomain.com → A → 192.168.1.1 (valid)
New Server: 192.168.1.2 → PTR → mydomain.com → A → 192.168.1.1 (invalid)

For server migrations, implement this phased approach:

  1. Create temporary PTR records during migration (e.g., newserver.mydomain.com)
  2. Update A records first during DNS cutover
  3. Synchronize PTR record updates immediately after

Consider using service-specific subdomains for clearer reverse DNS:


# Preferred configuration
web1.mydomain.com.    IN A     192.168.1.1
web2.mydomain.com.    IN A     192.168.1.2
1.1.168.192.in-addr.arpa. IN PTR web1.mydomain.com.
2.1.168.192.in-addr.arpa. IN PTR web2.mydomain.com.

Verify your configuration with these diagnostic commands:


# Linux/macOS verification
dig +short -x 192.168.1.1
dig +short mydomain.com
host 192.168.1.1