CIDR-Based Reverse DNS Delegation: Best Practices for /22 and /25 Subnets in Modern Networks


1 views

Traditional reverse DNS delegation was designed around classful networks (Class A, B, C). With CIDR becoming the standard, we need new approaches to properly delegate authority for arbitrary subnet sizes. The key challenge lies in the hierarchical nature of the in-addr.arpa zone structure.

Reverse DNS delegation requires creating NS records in the parent zone that point to authoritative servers for the subnet. The exact method varies slightly between DNS implementations:

; BIND-style example for /22 delegation
$ORIGIN 168.192.in-addr.arpa.
21-24   IN NS ns1.subdomain.example.com.
        IN NS ns2.subdomain.example.com.

For a /22 (1024 addresses), you'll need to create four CNAME records in the parent zone pointing to the corresponding /24 subzones:

; Delegation for 192.168.20.0/22
$ORIGIN 168.192.in-addr.arpa.
20      IN NS ns1.yourdomain.com.
21      IN NS ns1.yourdomain.com.
22      IN NS ns1.yourdomain.com.
23      IN NS ns1.yourdomain.com.

Smaller subnets like /25 (128 addresses) require more creative solutions since they don't align with octet boundaries:

; Solution 1: Delegate the /24 and use $GENERATE in BIND
$ORIGIN 168.192.in-addr.arpa.
25      IN NS ns1.yourdomain.com.

; Then in your zone file:
$GENERATE 128-255 $ CNAME $.128-255

Alternatively, for Windows DNS:

; Create a 25.168.192.in-addr.arpa zone
; Then add PTR records for 128-255 only

BIND: Supports $GENERATE for easier management of non-octet boundaries
Windows DNS: Requires creating separate zones for each subnet
djbdns: Needs manual CNAME creation due to simpler architecture

Here's a complete BIND configuration for a /22 delegation:

; named.conf fragment
zone "20.168.192.in-addr.arpa" {
    type master;
    file "db.192.168.20";
    allow-update { none; };
};

zone "21.168.192.in-addr.arpa" {
    type master;
    file "db.192.168.21";
    allow-update { none; };
};

; Repeat for .22 and .23

And the corresponding zone file:

; db.192.168.20
$TTL 86400
@ IN SOA ns1.example.com. hostmaster.example.com. (
    2023081501 ; serial
    3600       ; refresh
    900        ; retry
    604800     ; expire
    3600       ; minimum
)

IN NS ns1.example.com.
IN NS ns2.example.com.

$GENERATE 1-254 $ IN PTR host-$.example.com.

Traditional reverse DNS was designed around classful networking (Class A, B, C). With CIDR becoming the standard, we need more flexible delegation methods. The key challenge is mapping arbitrary CIDR blocks to the hierarchical DNS system.

The in-addr.arpa zone follows octet boundaries. For a Class B network (e.g., 192.168.0.0/16), the zone would be 168.192.in-addr.arpa. CIDR requires creative solutions when dealing with non-octet boundaries.

There are two primary approaches for CIDR delegation:

Method 1: Subzone Delegation

This creates new zones for each subnet. For Bind9, the configuration looks like:

$ORIGIN 168.192.in-addr.arpa.
; Delegation for /22 (192.168.0.0/22)
0-3    IN NS  ns1.subnet.example.com.
0-3    IN NS  ns2.subnet.example.com.

Method 2: CNAME Chains

This creates CNAME records pointing to the correct subzone. Example for a /25:

$ORIGIN 168.192.in-addr.arpa.
; Delegation for /25 (192.168.0.0/25)
0.0     IN CNAME 0.0.0-127.168.192.in-addr.arpa.

Different DNS servers handle CIDR delegation differently:

BIND Configuration

zone "0-3.168.192.in-addr.arpa" {
    type master;
    file "db.192.168.0-3";
};

Microsoft DNS Approach

Use the DNS Manager GUI to create reverse lookup zones for each subnet, or PowerShell:

Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/22" -ZoneFile "0-3.168.192.in-addr.arpa.dns"

For our Class B network (168.192.in-addr.arpa), here are complete examples:

Delegating a /22 Subnet

; Main zone file (168.192.in-addr.arpa)
$ORIGIN 168.192.in-addr.arpa.
@       IN SOA  ns1.example.com. admin.example.com. (
                2023081501 ; serial
                3600       ; refresh
                900        ; retry
                604800     ; expire
                86400      ; minimum
                )

; Name servers
        IN NS   ns1.example.com.
        IN NS   ns2.example.com.

; /22 delegation (192.168.0.0/22)
0-3     IN NS   ns1.subnet.example.com.
0-3     IN NS   ns2.subnet.example.com.

Delegating a /25 Subnet

; Main zone file (168.192.in-addr.arpa)
$ORIGIN 168.192.in-addr.arpa.
@       IN SOA  ns1.example.com. admin.example.com. (
                2023081501 ; serial
                3600       ; refresh
                900        ; retry
                604800     ; expire
                86400      ; minimum
                )

; Name servers
        IN NS   ns1.example.com.
        IN NS   ns2.example.com.

; /25 delegation (192.168.0.0/25)
0.0     IN CNAME 0.0.0-127.168.192.in-addr.arpa.

1. Prefer subzone delegation for larger subnets (/24 and larger)
2. Use CNAME chains for smaller subnets (/25 and smaller)
3. Maintain consistent serial numbers across related zones
4. Document all delegations thoroughly

When delegation fails, check:
- NS records exist in both parent and child zones
- Zone files are properly formatted
- Serial numbers increment after changes
- All name servers are reachable and authoritative