Reverse DNS Zone Generator

IPv4 subnet:

Enter the delegated IPv4 range, for example 192.0.2.128/28 or 10.20.30.0/24.

Forward hostname suffix:

Use the forward DNS zone for PTR targets, such as corp.example or example.internal.

Default TTL:

Seconds accepted; 300, 3600, and 86400 are common values.

seconds

Primary nameserver:

Use an authoritative nameserver hostname; relative labels are expanded under the forward hostname suffix.

Responsible mailbox:

Enter hostmaster@corp.example or hostmaster.corp.example.; the zone uses SOA RNAME syntax.

Zone serial:

Use an increasing unsigned 32-bit value, for example 2026050401.

Authoritative nameservers:

Enter one hostname per line; at least two nameservers are recommended for delegated public zones.

PTR entries:

Use CSV rows such as 192.0.2.130,mail.corp.example. or 131,vpn; blank hostnames use the fallback pattern.

Rows stay local and update the zone text immediately.

Classless zone label:

Hyphen style avoids slash handling surprises during zone transfers; slash style matches many RFC2317 examples.

Parent CNAME coverage:

PTR entries only is smallest; usable range prepares the whole delegated host range.

Fallback PTR hostname:

Keep the default for predictable hostnames, or enter a naming pattern such as node-{offset}.{domain}.

Duplicate address policy:

Keep first prevents accidental multi-PTR answers; keep all is available for intentional aliases.

Sort PTR records:

Leave on for predictable zone diffs and reviewer-friendly exports.

SOA refresh:

Seconds accepted; 3600 is a common default for small zones.

seconds

SOA retry:

Keep retry shorter than refresh so temporary transfer failures recover quickly.

seconds

SOA expire:

Use a value comfortably larger than refresh and retry.

seconds

SOA minimum:

Use a value aligned with your negative caching policy.

seconds

Include generated comments:

Turn off when you need only zone directives and resource records in the exported file.

{{ result.zoneText }}

{{ result.parentText }}

IPv4	Owner	PTR target	TTL	Source	Copy
{{ row.ip }}	{{ row.owner }}	{{ row.target }}	{{ row.ttl }}	{{ row.source }}
No valid PTR rows are ready for export.

Severity	Check	Current	Action	Copy
{{ row.severity }}	{{ row.check }}	{{ row.current }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A reverse DNS lookup turns an IP address back into a hostname. In IPv4, that answer lives under the in-addr.arpa tree, where the address octets are reversed before a PTR record names the host. The direction matters: forward DNS starts with a name and finds an address, while reverse DNS starts with the address that appeared in a log, mail connection, monitoring alert, or abuse report.

PTR records are often treated as housekeeping, but they carry real operational weight. Mail systems use them as one signal when judging a sending address, hosting teams use them to make customer assignments recognizable, and network operators use them to keep incident evidence readable. A PTR record is not proof of identity or ownership, yet a missing or stale one can slow down troubleshooting and make an otherwise legitimate service look unfinished.

Authority is the boundary that causes most reverse DNS surprises. Controlling example.com does not automatically let you publish PTR records for 192.0.2.130. The organization that holds the reverse DNS parent for the address block, usually an ISP, cloud provider, hosting provider, or registry delegation, must serve the zone or delegate the matching child zone to your nameservers.

PTR record: The DNS record that maps a reverse owner name to a hostname.
Reverse origin: The zone name below in-addr.arpa, such as 2.0.192.in-addr.arpa. for 192.0.2.0/24.
SOA record: The authority header that carries the primary nameserver, responsible mailbox, serial, and zone timing values.
Classless delegation: The RFC2317 pattern used when a delegated IPv4 range is smaller than a clean /24 reverse zone.

The useful mental model is to separate the final PTR answer from the path a resolver must follow. The owner label, reverse origin, parent delegation, SOA header, nameserver list, and address coverage all need to describe the same allocation. If those pieces disagree, the PTR row may be syntactically valid but unreachable from public DNS.

How to Use This Tool:

Start with the delegated IPv4 range, then enter the authority and PTR information that should appear in the zone text. The generated output changes as the fields change, so use the checks before copying records into a DNS change.

Enter IPv4 subnet as CIDR, such as 192.0.2.128/28 or 10.20.30.0/24. If the address contains host bits, the range is normalized to its network base.
Set Forward hostname suffix, Default TTL, Primary nameserver, Responsible mailbox, Zone serial, and Authoritative nameservers. Relative hostnames are expanded under the forward suffix where that is appropriate.
Paste PTR entries as address,hostname,ttl,note rows. The address can be a full IPv4 address, a final octet for matching ranges, or a reverse owner label. Leave the hostname blank only when the fallback pattern should fill it.
Use Load sample for a working classless example, Normalize to rewrite current names and rows into generated form, and Reset entries when you want to clear the PTR list.
Open Advanced for RFC2317 child-label style, parent CNAME coverage, duplicate-address policy, record sorting, SOA timers, fallback hostname pattern, and generated comments.
Read Zone Checks before handoff. Needs edits means blocking input problems remain, Review warnings means the zone text needs operator review, and Ready to lint means local checks did not find blocking issues.
Copy or download Reverse Zone. When the result uses the RFC2317 child strategy, give the Parent CNAMEs output to the operator of the parent /24 reverse zone as well.

Interpreting Results:

Ready to lint is a local drafting status. It means the entered fields produced internally consistent zone text, not that the parent delegation exists, the zone has loaded on an authoritative server, or the PTR target has matching forward records.

Review warnings points to conditions that often need a DNS operator's judgment. Examples include a single nameserver, a primary nameserver missing from the NS list, a serial that is valid but not date-shaped, SOA timer relationships, duplicate PTR rows, or a non-octet prefix that can only be emitted as a parent-zone fragment.

Reverse DNS outputs and review cues
Result area	What it contains	How to review it
`Reverse Zone`	Zone text with `$ORIGIN`, `$TTL`, SOA, NS, and PTR records.	Lint it with the DNS server family that will serve the zone.
`Parent CNAMEs`	Parent-zone NS and CNAME records for RFC2317 classless ranges.	Use this only when the strategy says `RFC2317 child`.
`PTR Ledger`	A row table showing each IP, owner label, target, TTL, and note.	Compare the ledger with the address assignment plan before publishing.
`Zone Checks`	Blocking errors, warnings, normalization notes, and authority reminders.	Fix high-severity rows before using the generated zone text.
`JSON`	Structured inputs, generated records, parent details, checks, and zone text.	Attach it to a ticket or change record when repeat review matters.

PTR targets should normally be hostnames that have suitable forward address records. Some mail and hosting checks expect forward-confirmed reverse DNS, where the PTR name resolves back to the same address. The reverse-zone output does not perform that forward lookup.

Technical Details:

IPv4 reverse DNS follows the address hierarchy, not the forward-domain hierarchy. A /24 block such as 192.0.2.0/24 becomes 2.0.192.in-addr.arpa., and the address 192.0.2.130 is represented by owner label 130 inside that zone. The PTR record then points from that owner label to the target hostname.

Octet boundaries are straightforward because DNS labels line up with the dotted IPv4 octets. Prefixes smaller than a /24 cut through the last octet, so RFC2317 creates a child label beneath the parent /24 reverse zone and uses parent CNAME records to steer individual address owners into that child zone.

Rule Core:

Reverse DNS strategy by IPv4 prefix length
CIDR shape	Generated strategy	Owner labels	Parent-zone requirement
`/8`	Standard first-octet reverse zone.	Three reversed host octets.	No parent CNAME snippet is generated.
`/16`	Standard second-octet reverse zone.	Two reversed host octets.	No parent CNAME snippet is generated.
`/24`	Standard third-octet reverse zone.	Final octet.	No parent CNAME snippet is generated.
`/25` to `/32`	RFC2317 child zone below the parent `/24`.	Final octet inside the child zone.	Parent NS records and CNAME stubs are generated.
`/9` to `/23`, except `/16`	Parent-zone fragment with a warning.	Remaining reversed octets below the nearest safe parent origin.	No RFC2317 parent snippet is generated for this case.

The accepted subnet range is /8 through /32. CIDR input is normalized to the base network address before the reverse origin, broadcast address, range size, owner labels, and parent-record strategy are calculated.

Transformation Core:

Reverse DNS zone generation stages
Stage	Input	Generated result
CIDR parsing	IPv4 subnet and prefix length.	Normalized network, broadcast address, address count, reverse origin, and strategy.
Authority header	TTL, serial, primary nameserver, responsible mailbox, SOA timers, and NS list.	`$ORIGIN`, `$TTL`, SOA, and apex NS records.
PTR rows	`address,hostname,ttl,note` rows.	PTR records, ledger rows, duplicate handling, and optional per-record TTLs.
Fallback names	Rows with an address but no hostname.	Hostnames filled from `{last}`, `{offset}`, `{ip}`, and `{domain}` tokens.
Parent coverage	PTR entries only, usable subnet addresses, or all subnet addresses.	CNAME stubs for the selected RFC2317 address coverage.

Classless child labels can be written as 128-28, 128/28, or 128.28. Hyphen labels avoid slash handling surprises in some zone-transfer and file workflows, while slash labels resemble many RFC2317 examples. The parent CNAME target and child reverse origin must use the same label style.

Validation Boundaries:

Reverse DNS validation boundaries
Area	Boundary	Why it matters
IPv4 subnet	CIDR notation with a prefix from `/8` to `/32`.	Keeps the reverse origin inside the supported IPv4 delegation shapes.
PTR address scope	Every PTR address must fall inside the normalized subnet.	Prevents records for unrelated addresses from entering the zone.
TTL and SOA timers	Whole seconds from `0` to `2147483647`.	Keeps cache and transfer timing values inside the accepted numeric range.
SOA serial	Digits only, unsigned 32-bit maximum, with a warning when the value is not shaped like `YYYYMMDDnn`.	Secondary nameservers use the serial to detect newer zone data.
DNS names	Forward suffix, nameservers, mailbox domain, and PTR targets are normalized as DNS names.	Catches URLs, invalid labels, missing dots, and SOA mailbox conversion issues.
Duplicate addresses	Duplicates can keep the first row, keep the last row, or keep all rows.	Supports conservative one-PTR-per-address output while allowing intentional multiple answers.

Accuracy and Privacy Notes:

The generated text is a draft for DNS review. Validate it with the DNS server software that will serve the zone, confirm parent delegation with the address-block holder, and test lookups after deployment. Local checks cannot prove that a registry, ISP, cloud provider, or authoritative server has accepted the records.

Run a zone checker such as named-checkzone against the copied zone text.
Install parent NS and CNAME records when RFC2317 output is used.
Verify matching forward records when policy requires forward-confirmed reverse DNS.
Increment the SOA serial before each authoritative reload or transfer rollout.

The entered values are processed in the browser. Record generation uses the values you type; it does not perform live DNS lookups, contact authoritative nameservers, or verify records with a registry or provider.

Worked Examples:

Classless hosting block. A delegated range of 192.0.2.128/28 uses an RFC2317 child zone under 2.0.192.in-addr.arpa.. PTR rows for 192.0.2.130, 192.0.2.131, and bare final octet 132 become owner labels in that child zone. The parent zone still needs CNAME stubs for the selected address coverage.

Direct /24 zone. A range of 192.0.2.0/24 uses 2.0.192.in-addr.arpa. directly. PTR owners are final octets such as 130, and the parent-record output explains that RFC2317 records are not required.

Blank hostname row. A row with address 133 and no hostname uses the fallback pattern. With host-{last}.{domain} and forward suffix corp.example, the PTR target becomes host-133.corp.example..

Out-of-range address. A PTR row for 192.0.2.250 inside a 192.0.2.128/28 draft is blocked because the address does not belong to that delegated range, even though the final octet would be valid in a larger parent /24.

FAQ:

When are Parent CNAMEs required?

They are required for the generated RFC2317 child strategy, used for /25 through /32 ranges. The parent /24 reverse-zone operator must publish the parent records so lookups reach the child zone.

Why was my subnet changed?

CIDR ranges are based on the network address. If the typed address contains host bits, the range is normalized to its base address before owner labels and origins are generated.

Can one address have multiple PTR records?

DNS can return multiple PTR records for one owner name, but many operational policies prefer one clear hostname per address. Use the duplicate-address policy to keep the first row, keep the last row, or keep all rows.

Why does the responsible mailbox use dots?

The SOA RNAME field uses DNS label form instead of normal email form. A mailbox such as hostmaster@example.com becomes hostmaster.example.com., and dots in the local part are escaped when needed.

Does a PTR record prove that forward DNS is correct?

No. A PTR record maps from address to name. Check forward A or AAAA records separately when your policy requires the name to resolve back to the same address.

Glossary:

in-addr.arpa: The IPv4 reverse DNS namespace where address octets are arranged from least-specific to most-specific DNS label order.
PTR record: A pointer record that maps a reverse owner name to a hostname.
RFC2317: The classless IPv4 reverse delegation pattern that combines a child reverse zone with parent CNAME records.
SOA serial: The numeric version field used by secondary nameservers to detect changed zone data.
SOA minimum: The SOA field commonly used for negative-cache timing under modern DNS behavior.

References:

RFC 1035: Domain Names - Implementation and Specification, RFC Editor, November 1987.
RFC 2317: Classless IN-ADDR.ARPA Delegation, IETF, March 1998.
RFC 2308: Negative Caching of DNS Queries, RFC Editor, March 1998.
ISC Knowledgebase: Classless in-addr.arpa subnet delegation, Internet Systems Consortium, updated May 25, 2021.
ARIN: Managing Resource Records, American Registry for Internet Numbers.