Inferensys

Glossary

Forward Confirmed Reverse DNS

Forward Confirmed Reverse DNS (FCrDNS) is a rigorous verification method where a reverse DNS lookup on an IP address is validated by a forward DNS lookup on the resulting hostname to ensure the records match, confirming network identity.
Enterprise console with connected nodes and monitoring panels for orchestrated systems.
NETWORK IDENTITY VERIFICATION

What is Forward Confirmed Reverse DNS?

A rigorous verification method where a reverse DNS lookup on an IP address is validated by a forward DNS lookup on the resulting hostname to ensure the records match, confirming network identity.

Forward Confirmed Reverse DNS (FCrDNS) is a network identity verification protocol that establishes a bidirectional trust relationship between an IP address and its hostname. The process requires that a PTR record (reverse DNS) resolves the IP to a hostname, and a subsequent A record (forward DNS) lookup on that hostname resolves back to the original IP address, creating a cryptographic-strength assertion of identity.

This technique is critical for distinguishing residential ISP traffic from datacenter IP detection evasion attempts, as cloud-hosted scrapers often possess generic reverse DNS entries that fail forward confirmation. Email servers rely on FCrDNS as a primary anti-spam heuristic, while enterprise bot management systems use it to validate that a connecting host genuinely belongs to the organization its hostname claims.

NETWORK IDENTITY VERIFICATION

Key Characteristics of FCrDNS

Forward Confirmed Reverse DNS is a rigorous two-step verification method that validates a connecting host's identity by cross-referencing forward and reverse DNS records, ensuring the claimed hostname genuinely maps to the originating IP address.

01

Bidirectional Resolution

FCrDNS requires a two-step validation process: first, a reverse DNS (PTR) lookup resolves the IP address to a hostname. Then, a forward DNS (A or AAAA) lookup on that hostname must return the original IP address. This circular verification ensures the DNS records are symmetrically consistent, preventing trivial spoofing where an attacker controls only the reverse record. Without forward confirmation, any IP owner can set a PTR record claiming to be google.com.

02

Spam and Email Authentication

FCrDNS is a foundational trust signal in anti-spam filtering and email server authentication. Mail transfer agents (MTAs) like Postfix and Sendmail perform FCrDNS checks on connecting SMTP clients. A failed confirmation often results in greylisting, higher spam scores, or outright rejection. Legitimate mail servers are expected to have matching forward and reverse records, while botnet nodes and compromised residential hosts typically fail this check. It complements SPF, DKIM, and DMARC as a network-layer trust indicator.

03

Crawler Identity Verification

For AI crawler identification, FCrDNS serves as a critical verification layer beyond User-Agent strings. When a bot claims to be Googlebot, performing an FCrDNS check on its IP should resolve back to a *.googlebot.com or *.google.com hostname. This prevents User-Agent spoofing by scrapers who set their UA string to mimic legitimate crawlers. Combined with IP reputation databases and ASN blocking, FCrDNS provides cryptographic-grade certainty about crawler origin.

04

Residential vs. Datacenter Detection

FCrDNS hostnames often reveal the network type of the originating IP. Residential ISP connections typically resolve to hostnames containing patterns like cpe-*-*-*-*.rr.com or pool-*-*-*-*.verizon.net. Datacenter and cloud IPs resolve to hostnames like ec2-*-*-*-*.compute.amazonaws.com or *.your-server.de. This allows datacenter IP detection without relying solely on external reputation databases, enabling real-time blocking of cloud-hosted scrapers while allowing legitimate residential traffic.

05

PTR Record Delegation

Reverse DNS zones are delegated differently than forward zones. The IP owner—typically the ISP or hosting provider—controls the PTR record, not the domain owner. For example, an EC2 instance's PTR is managed by AWS, not the application operator. This means FCrDNS verification requires coordination with the infrastructure provider to set correct PTR records. Legitimate crawler operators like Google and OpenAI maintain their own IP space and PTR delegations, making FCrDNS a reliable authenticity signal.

06

IPv6 Considerations

FCrDNS for IPv6 uses PTR records in the ip6.arpa zone, with the address represented as fully expanded, reversed nibbles. The larger address space makes reverse delegation more granular. However, many IPv6 deployments have incomplete or missing PTR records, making FCrDNS less reliable for IPv6-only hosts. Security architects should implement dual-stack FCrDNS policies that apply stricter scrutiny to IPv6 connections lacking valid reverse mappings, as this is a common evasion vector for scrapers.

IDENTITY VERIFICATION

Frequently Asked Questions

Essential questions about Forward Confirmed Reverse DNS, the definitive technique for cryptographically verifying the authenticity of a connecting host's network identity.

Forward Confirmed Reverse DNS (FCrDNS) is a two-stage network identity verification protocol that validates a connecting IP address by performing a reverse DNS lookup followed by a forward DNS lookup on the resulting hostname to confirm the records match. The process begins when a server receives a connection from an IP address and executes a PTR (Pointer) record query in the in-addr.arpa domain to resolve the IP to a hostname. The server then performs a forward A (Address) record lookup on that hostname. If the returned IP address matches the original connecting IP, the identity is confirmed. This bidirectional validation prevents trivial IP spoofing where an attacker configures a PTR record pointing to a trusted domain without controlling that domain's forward zone. FCrDNS is a foundational trust mechanism in email anti-spam systems, SSH authentication, and enterprise bot management platforms.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.