Forward-confirmed Reverse DNS

FCrDNS, or forward-confirmed reverse DNS, also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a situation where a given IP address has forward (name-to-address) and reverse (address-to-name) DNS entries that match each other. The process of checking this is as follows (described as a Proposed Standard by RFC 5451, section 3; and previously outlined in RFC 1912, especially section 2.1):

1. First a reverse DNS lookup (PTR query) is performed on the IP address, which returns a list of zero or more PTR records.
2. For each domain name returned in the PTR query results, a regular 'forward' DNS lookup (type A or AAAA query) is then performed on that domain name.
3. Any A or AAAA record returned by the second query is then compared against the original IP address, and if there is a match, then the FCrDNS check passes. Example:

DNS query type PTR on 192.0.2.4 --> returns PTR-record="hostname.example.com" (1 result) DNS query type A on "hostname.example.com" --> returns A-record=192.0.2.4 (1 result) Matches original IP address, therefore check passes

Some system may need to do a reverse DNS lookup. This could be for things like logging of connecting clients or authenticating clients. Iprev is a way to verify that the result of the reverse DNS is really the proper hostname. An attacker that just has control over the reverse DNS would then not be able to fake the hostname of the connecting client, because the hostname would resolve back to a different IP address. When this test fails it's usually a good indication that the reverse lookup should not be trusted for anything.

It's not recommended to use this for authentication without authentication of the DNS itself with something like DNSSEC.

It's considered good practice that all reverse DNS is forward confirmed, following the instructions in RFC 1033 on "Adding a host".