Architecture

Last change on 2025-10-07 • Created on 2025-10-07 • ID: NE-A03B0

DNS lookup / name resolution

Iterative
DNS Query
Recursive
DNS Query
Authoritative
name servers
root
Client
Recursive NS
TLD
domain

  • Iterative DNS Query
    A request to a DNS server: Give me the final response to my request. Send out any additional requests as needed.

  • Recursive DNS Query
    A request to a DNS server: Give me any information you have. Don't send out additional requests.

DNSSEC validation

This requires DS and DNSKey records. At the moment, Hetzner only supports DS records.

Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications (e.g. DS and DNSKEY records) that are used to ensure that DNS responses from authoritative name servers to the recursive name server are secure and have not been intercepted or tampered with.

Client
Recursive name server

Authoritative name servers

The recursive name server uses Key Signing Keys (KSK) and Zone Signing Keys (ZSK) from each authoritative name server to verify the authenticity of every DNS response — establishing a chain of trust.

To start the chain of trust, the recursive name server must already have the hashed PubKSK of the root name server stored locally. It's important that this key was obtained through means other than the DNS protocol (e.g. included in the operating system) to ensure its authenticity.

The DNSSEC Validation Steps

Let's assume the client wants to access https://example.com.

First, the recursive name server sends a request to the root zone. The root zone will refer to the .com zone and provide the hashed PubKSK of the .com zone.

01 response root en

If the recursive name server trusts the DNS response of the root zone, it can send a request to the .com zone and continue the chain of trust with the .com PubKSK provided by the root zone.

02 response com en

If the recursive name server trusts the DNS response of the .com zone, it can send a request to the example zone and continue the chain of trust with the example PubKSK provided by the .com zone.

03 response example en

If the recursive name server trusts the DNS response of the example zone, it can return the IP address of example.com to the client.

In the example above, the DNS records would look like this:

Recursive NS
A
root
198.51.100.1
DS
root
<hashed-pubksk>
root name server
DNSKey
root
<plaintext-pubksk>
DNSKey
root
<plaintext-pubzsk>
A
.com
172.16.3.9
DS
.com
<hashed-pubksk>
.com name server
DNSKey
.com
<plaintext-pubksk>
DNSKey
.com
<plaintext-pubzsk>
A
example
192.168.25.3
DS
example
<hashed-pubksk>
example name server
DNSKey
example
<plaintext-pubksk>
DNSKey
example
<plaintext-pubzsk>

A
example.com
203.0.113.1
A
example.com
10.0.0.3

reverse DNS (rDNS)

Click here to learn how to edit the rDNS (PTR) of Hetzer IPs

Hetzner IPs have PTR records managed by Hetzner. By default, the IP points to a domain that looks like this:

static.1.113.0.203.clients.your-server.de

You can edit the value as explained in these articles:

In Hetzner Console, you can edit the value by selecting your cloud server or Load Balancer and navigating to the "Networking" tab in the top menu bar. Replace static.<your_reverse_ip>.clients.your-server.de with your own domain that points to the IP address of that cloud server or Load Balancer. The PTR record managed by Hetzner is automatically updated accordingly. You can edit the reverse DNS of Primary IPs and Floating IPs as well.


To edit a large number of reverse DNS entries, you may use the Robot Webservice or the Cloud API.

In a reverse DNS (rDNS) lookup, a client requests the domain name associated with an IP address (for example via dnschecker.org or dig -x <ip-address>).

The value of the IP address is defined in a PTR record that is usually set up by the provider who owns the IP address (e.g. Hetzner). PTR records for rDNS are not added in the zone of the domain. Instead, they are added in a reverse zone (e.g. <ip-in-reverse>.in-addr.arpa.) that belongs to the owner of the IP. For a more detailed description, see rDNS zones below.

For example:

Server 1
 IP

🌐
203.0.113.1

www.example.com
Server 2
 IP

💬
📧
198.51.100.1

blog.example.com
mail.example.com

Domain zone managed by you
example.com

A
www
203.0.113.1
A
blog
198.51.100.1
A
mail
198.51.100.1
MX
@
mail.example.com.
IP zones managed by IP owner
1.113.0.203.in-addr.arpa

PTR
@
edu.example.org.
1.100.51.198.in-addr.arpa

PTR
@
mail.example.com.

In this example, the hostnames for forward and reverse DNS lookups match only once:

www.example.com    --->   203.0.113.1
203.0.113.1        --->   edu.example.org

blog.example.com   --->   198.51.100.1
mail.example.com   --->   198.51.100.1      ─┐ hostnames
198.51.100.1       --->   mail.example.com  ─┘ match
ℹ   Attention
  • You can't add more than one PTR record per IP address
    It is not possible to assign multiple hostnames to a single IP address. Even if you host several domains on one server, each IP address can have only one PTR record (except with bizarre PTR round robin tinkering). If a web server and a mail (SMTP) server share the same physical server and IP address, the rDNS should typically point to the hostname of the mail server, since rDNS is especially important for email deliverability and anti-spam checks.

  • You shouldn't add the PTR record in your domain zone
    When a client performs a reverse DNS lookup to resolve an IP address, it does not yet know your domain name and therefore cannot query your domain zone. Instead, it queries the reverse DNS zone associated with the IP address (such as the in-addr.arpa or ip6.arpa zone).
    This reverse DNS zone returns the corresponding domain name via a PTR record. If you add a PTR record in your domain zone, it will be ignored because the client never queries your zone for reverse lookups.

Purpose of rDNS

  • Tools like traceroute often resolve IP addresses to hostnames using reverse DNS. This makes it considerably easier to diagnose errors.
  • Many mail servers only accept incoming emails if the sender's IP address has a reverse DNS entry.
  • Reverse DNS entries can be included in SPF records (Sender Policy Framework — technology for the prevention of spam and virus-containing emails from spoof senders).

Allocation guidelines

We recommend the following allocation guidelines:

  • The reverse DNS entry should not take the form of an automatically generated name, such as static.1.113.0.203.clients.your-server.de; spam filters might identify these as "spam".
  • The domain, which the name derives from, should actually exist. Please do not invent any names.
  • The reverse DNS entry should also resolve "forwards" to the same IP address. 
    same.example.com   --->   192.0.2.254
192.0.2.254        --->   same.example.com
  • The hostname provided by the mail server while the connection is being established (HELO/EHLO) should match the reverse DNS entry for the corresponding IP address.

rDNS zones

The PTR record for an IP address is managed in the reverse DNS zone corresponding to that specific IP. Typically, a provider or organization owns an entire IP range. In such cases, the entire IP range is managed through a single reverse DNS zone that corresponds to the subnet.

The Internet Assigned Numbers Authority (IANA) manages the top-level reverse DNS zones in-addr.arpa and ip6.arpa. These zones delegate to the name servers of Regional Internet Registries (RIRs), which are responsible for the top-level subnet that the requested IP address falls into — often a /8 block (e.g. 203 in 203.0.113.1).

An RIR delegates top-level subnets (e.g. 203 in 203.0.113.1) to the name servers of the IP address owner who is responsible for the subnet that the requested IP address falls into — often a /16 or /24 block (e.g. 203.0 in 203.0.113.1).

Example:

Owner IP range Addresses
Holu 198.51.100.0/24 198.51.100.0 to 198.51.100.255
Hetzner 203.0.0.0/16 203.0.0.0 to 203.0.255.255
Server 1
 IP

📧
198.51.100.28

mail.example.com
Server 2
 IP

💬
203.0.113.1

blog.example.com
Server 3
 IP

🌐
203.0.44.253

www.example.com

Zone managed by IANA
in-addr.arpa
NS
198.in-addr.arpa.
<rir-1>
NS
198.in-addr.arpa.
<rir-2>
NS
203.in-addr.arpa.
<rir-3>
NS
203.in-addr.arpa.
<rir-4>
Zones managed by RIRs
198.in-addr.arpa
NS
@
<rir-1>
NS
@
<rir-2>
NS
100.51
<holu-1>
NS
100.51
<holu-2>
203.in-addr.arpa
NS
@
<rir-3>
NS
@
<rir-4>
NS
0
<hetzner-1>
NS
0
<hetzner-2>
NS
0
<hetzner-3>
Zone managed by Holu
100.51.198.in-addr.arpa
NS
@
<holu-1>
NS
@
<holu-2>
PTR
28
mail.example.com.

Zone managed by Hetzner
0.203.in-addr.arpa
NS
@
<hetzner-1>
NS
@
<hetzner-2>
NS
@
<hetzner-3>
PTR
1.113
blog.example.com.
PTR
253.44
www.example.com.

DNS with mail servers

Mail server sender
Does not check PTR
📧
Mail server receiver
Checks PTR

When a mail server sends out an email, the sender will look up the MX record for the domain that follows after the @ sign. If the email address is holu@example.com, for example, the sender will look up the MX record for example.com. The email is sent to the IP address provided in the DNS response. The sender does not check the PTR record of that IP address.

When a mail server receives an email, it uses Forward-confirmed reverse DNS (FCrDNS) verification. This involves checking the PTR record of the sending mail server's IP address (from the TCP source address) and verifying that the corresponding A record of the returned domain points back to the same IP address. If the IP and domain of both records match, the sender is considered more trustworthy and the message is less likely to be marked as spam.

For example:

Mail Server
Server IP
198.51.100.1
Mail
HELO
holu@example.com
send.example.com
Outgoing
Incoming
send.example.com
get.example.com
Domain zone managed by you
example.com

A
send
198.51.100.1
A
get
198.51.100.1
MX
@
get.example.com.
IP zone managed by IP owner
1.100.51.198.in-addr.arpa

PTR
@
send.example.com.


Here's what happens when someone receives an email from you:


Receiver
DNS

TCP source IP: 198.51.100.1
Check PTR record of sender IP
PTR   198.51.100.1 --> send.example.com

DNS response: send.example.com
Check respective A record
A       send.example.com --> 198.51.100.1

FCrDNS check passes (PTR & A match)

SMTP handshake
Sender: HELO send.example.com

FCrDNS check passes (PTR & A match), and HELO domain matches
→ higher trust, likely not spam


Here's what happens when someone else sends an email to you:


Sender
DNS

Email to holu@example.com

Request mail server of example.com
MX     example.com --> get.example.com A         get.example.com --> 198.51.100.1

DNS response: 198.51.100.1

Send email to 198.51.100.1

Content Delivery Network (CDN)

CDN is a system that enables content owners to deliver cacheable content (e.g. static resources such as JavaScript, CSS or large files like images, videos) to users from the server closest to them. Sometimes edge servers are used to proxy requests, hiding the origin servers from the user.

In a CDN, the server that stores the original version of the content is called the origin server:

origin server
example.com
<html>
<h1> Hello world! </h1>
</html>

With a CDN, there are also multiple edge servers distributed across different geographic locations. These edge servers retrieve the content from the origin server and store it in their cache. When a user makes a request, the edge server nearest to them serves the cached content.

Simplified example visualisation:

Client Canada
Client Japan
Client Germany
CDN
edge server America
example.com
cached copy fetched
from origin server
edge server Asia
example.com
cached copy fetched
from origin server
edge server Europe
example.com
cached copy fetched
from origin server



Overview of advantages:

Faster & resource-saving
Edge: Can provide local copy to the client faster than the origin, which is further away
Origin: Saves bandwidth, CPU und other resources (object in Cache of edge = no request to origin)

Protec­tion against attacks
Edge: Filters requests via WAF, DDoS defence
Origin: No longer has to be exposed to the Internet

Scala­bility
CDN has a lot more resources for sudden load peaks (if content is cacheable)

Confi­gura­bility
Same website with different domains, Customising headers etc. even though you don't necessarily need control over the origin
⚠ CDN provider usually terminates TLS and can read everything — if they want to.



Technical implementation:

The following solutions are often used for that purpose:

DNS-based load balancing one IP » one server
Multiple servers, each with their own IP, are distributed across the world. DNS tries to return the IP address of the server that is geographically closest to the client.
Anycast-based load balancing one IP » fleet of servers
Multiple servers share a single IP address that is reachable from many different locations. Internet routing automatically finds the shortest path to one of these locations based on the client's location on the Internet.

DNS-based load balancing

With DNS-based load balancing, the recursive name server checks the DNS records for the requested domain (e.g. example.com). NS records delegate the domain to the CDN provider. The CDN provider:

  • Checks the location of the recursive name server
    Note that sometimes the recursive name server may be in a different location than the client

  • Chooses an edge server that is closest to the location of the recursive name server.

The edge servers are usually provided and managed by a CDN provider.

Example:

Delegated Zone
example.com
NS
cdn.ns.com
Client
DE
Recursive NS
Germany (DE)
Authoritative NS
example.com
A
A
DE
US
198.51.1.2
203.0.13.1

Anycast-based load balancing

With Anycast-based load balancing, a group of servers shares the same public IP address. The domain owner usually delegates the zone to the CDN provider. In the domain zone managed by the CDN, an A record points at the public IP address that belongs to the Anycast group of edge servers.

The edge servers and their Anycast IP are provided and managed by a CDN provider.

edge server (DE)
example.com
cached copy fetched
from origin server
Client
203.0.13.1
edge server (FI)
example.com
cached copy fetched
from origin server

Apart from edge servers, Anycast-based load balancing is also widely used with DNS name servers, especially root servers, TLD servers, and large authoritative DNS providers (see the description for F-Root for example, one of the 13 Internet root name servers).

Authoritative NS (DE)
example.com
A
203.0.13.1
Client
Recursive NS
192.0.2.5
Authoritative NS (FI)
example.com
A
203.0.13.1

Unlike DNS-based load balancing, Anycast-based load balancing does not need to determine the client's location or perform geographic calculations, because it leverages an existing routing protocol.
The routing protocol used on the Internet selects the route with the lowest cost. Costs increase with a higher number of autonomous systems (ASes), a longer path (latency), and lower available bandwidth. As a result, the most cost-efficient path to a destination in an Anycast group is often the server that is geographically closest to the client.

Example:

A client in Toronto sends a request to example.com, which resolves to the IP address 203.0.113.1. This IP address is shared by two servers: one in Ashburn, and another in Helsinki.

The following network paths are possible:

Client

Toronto
AS64496
Hop 1
Hop 2
Ottawa
New York
203.0.113.1

Ashburn
Client

Toronto
AS64497
Hop 1
Hop 2
Montreal
London
AS64500
Hop 3
Stockholm
203.0.113.1

Helsinki

The routing protocol does not know that the destination actually corresponds to two different machines, because it has no information about geographical locations. To the routing protocol, there appears to be only one source and one destination. From the routing protocol's perspective, the destination is a single machine in a single location, with multiple possible paths to reach it. This is because the routing protocol only sees paths as sequences of autonomous systems (ASes):

Client
AS64496
AS64497
AS64500
203.0.113.1

In this example, the path with a single AS in between would likely be preferred over the path with two ASes in between. As it happens, the more cost-effective path often also corresponds to the geographically closest server.

Table of Contents