Forward Confirmed Reverse DNS (FCrDNS) is a network identity verification protocol that establishes a bidirectional trust relationship between an IP address and its hostname. The process requires that a PTR record (reverse DNS) resolves the IP to a hostname, and a subsequent A record (forward DNS) lookup on that hostname resolves back to the original IP address, creating a cryptographic-strength assertion of identity.
Glossary
Forward Confirmed Reverse DNS

What is Forward Confirmed Reverse DNS?
A rigorous verification method where a reverse DNS lookup on an IP address is validated by a forward DNS lookup on the resulting hostname to ensure the records match, confirming network identity.
This technique is critical for distinguishing residential ISP traffic from datacenter IP detection evasion attempts, as cloud-hosted scrapers often possess generic reverse DNS entries that fail forward confirmation. Email servers rely on FCrDNS as a primary anti-spam heuristic, while enterprise bot management systems use it to validate that a connecting host genuinely belongs to the organization its hostname claims.
Key Characteristics of FCrDNS
Forward Confirmed Reverse DNS is a rigorous two-step verification method that validates a connecting host's identity by cross-referencing forward and reverse DNS records, ensuring the claimed hostname genuinely maps to the originating IP address.
Bidirectional Resolution
FCrDNS requires a two-step validation process: first, a reverse DNS (PTR) lookup resolves the IP address to a hostname. Then, a forward DNS (A or AAAA) lookup on that hostname must return the original IP address. This circular verification ensures the DNS records are symmetrically consistent, preventing trivial spoofing where an attacker controls only the reverse record. Without forward confirmation, any IP owner can set a PTR record claiming to be google.com.
Spam and Email Authentication
FCrDNS is a foundational trust signal in anti-spam filtering and email server authentication. Mail transfer agents (MTAs) like Postfix and Sendmail perform FCrDNS checks on connecting SMTP clients. A failed confirmation often results in greylisting, higher spam scores, or outright rejection. Legitimate mail servers are expected to have matching forward and reverse records, while botnet nodes and compromised residential hosts typically fail this check. It complements SPF, DKIM, and DMARC as a network-layer trust indicator.
Crawler Identity Verification
For AI crawler identification, FCrDNS serves as a critical verification layer beyond User-Agent strings. When a bot claims to be Googlebot, performing an FCrDNS check on its IP should resolve back to a *.googlebot.com or *.google.com hostname. This prevents User-Agent spoofing by scrapers who set their UA string to mimic legitimate crawlers. Combined with IP reputation databases and ASN blocking, FCrDNS provides cryptographic-grade certainty about crawler origin.
Residential vs. Datacenter Detection
FCrDNS hostnames often reveal the network type of the originating IP. Residential ISP connections typically resolve to hostnames containing patterns like cpe-*-*-*-*.rr.com or pool-*-*-*-*.verizon.net. Datacenter and cloud IPs resolve to hostnames like ec2-*-*-*-*.compute.amazonaws.com or *.your-server.de. This allows datacenter IP detection without relying solely on external reputation databases, enabling real-time blocking of cloud-hosted scrapers while allowing legitimate residential traffic.
PTR Record Delegation
Reverse DNS zones are delegated differently than forward zones. The IP owner—typically the ISP or hosting provider—controls the PTR record, not the domain owner. For example, an EC2 instance's PTR is managed by AWS, not the application operator. This means FCrDNS verification requires coordination with the infrastructure provider to set correct PTR records. Legitimate crawler operators like Google and OpenAI maintain their own IP space and PTR delegations, making FCrDNS a reliable authenticity signal.
IPv6 Considerations
FCrDNS for IPv6 uses PTR records in the ip6.arpa zone, with the address represented as fully expanded, reversed nibbles. The larger address space makes reverse delegation more granular. However, many IPv6 deployments have incomplete or missing PTR records, making FCrDNS less reliable for IPv6-only hosts. Security architects should implement dual-stack FCrDNS policies that apply stricter scrutiny to IPv6 connections lacking valid reverse mappings, as this is a common evasion vector for scrapers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Essential questions about Forward Confirmed Reverse DNS, the definitive technique for cryptographically verifying the authenticity of a connecting host's network identity.
Forward Confirmed Reverse DNS (FCrDNS) is a two-stage network identity verification protocol that validates a connecting IP address by performing a reverse DNS lookup followed by a forward DNS lookup on the resulting hostname to confirm the records match. The process begins when a server receives a connection from an IP address and executes a PTR (Pointer) record query in the in-addr.arpa domain to resolve the IP to a hostname. The server then performs a forward A (Address) record lookup on that hostname. If the returned IP address matches the original connecting IP, the identity is confirmed. This bidirectional validation prevents trivial IP spoofing where an attacker configures a PTR record pointing to a trusted domain without controlling that domain's forward zone. FCrDNS is a foundational trust mechanism in email anti-spam systems, SSH authentication, and enterprise bot management platforms.
Related Terms
Forward Confirmed Reverse DNS is a foundational technique for distinguishing legitimate infrastructure from ephemeral cloud resources. The following concepts form the ecosystem of network identity verification and bot detection.
Forward DNS Confirmation
The second, critical step where the hostname obtained from the reverse lookup is resolved forward to an A or AAAA record. The resulting IP must exactly match the original queried IP.
- Consistency check: If
reverse(IP) → hostnameandforward(hostname) → IP, identity is confirmed - Failure modes: Mismatched records, missing A records, or wildcard DNS entries that resolve to different IPs
- RFC 1912 compliance: The IETF standard that defines this bidirectional verification as best practice for mail server authentication
IP Reputation
A dynamic trust score assigned to an IP address based on historical behavior, threat intelligence feeds, and association with malicious activity.
- FCrDNS as a signal: Successfully passing forward-confirmed reverse DNS is a positive indicator that contributes to a higher reputation score
- Residential vs. datacenter weighting: IPs from consumer ISPs with valid FCrDNS typically receive higher baseline trust than cloud IPs
- Real-time scoring engines: Services like Spamhaus, IPQualityScore, and Cloudflare's threat intelligence aggregate FCrDNS validation results into composite risk scores used for preemptive blocking
ASN Blocking
The practice of denying access to all traffic originating from a specific Autonomous System Number, typically used to block entire cloud hosting providers known for hosting scrapers and AI training bots.
- Granularity trade-off: ASN blocking is blunt; FCrDNS provides per-IP precision to allow legitimate services within an ASN while blocking malicious ones
- Common targets: AS16509 (Amazon), AS14061 (DigitalOcean), AS63949 (Linode) are frequently blocked by content providers protecting against unauthorized scraping
- Bypass resistance: Attackers using residential proxy networks appear to originate from consumer ISP ASNs, making FCrDNS validation a critical secondary check even when ASN blocking is not triggered
Residential IP Proxy
A network routing service that channels bot traffic through IP addresses assigned by consumer ISPs to real home users, making automated scraping requests appear as legitimate organic traffic.
- FCrDNS evasion: Residential proxies often pass reverse DNS checks because the IP genuinely belongs to a consumer ISP with proper PTR records
- Detection gap: Forward confirmation alone cannot distinguish a compromised residential endpoint from a legitimate user; behavioral analysis and traffic pattern heuristics must supplement FCrDNS
- Proxy detection services: Commercial databases like IP2Proxy and MaxMind maintain lists of known proxy exit nodes, adding a layer beyond DNS verification to identify tunneled traffic

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us