How to confirm who is responsible for serving reverse DNS (PTR) requests an IP block?
If your ip address were 192.0.2.4
and you were using nslookup you'd run the following:
set q=ns
4.2.0.192.in-addr.arpa
This would show you the name servers responsible for the ip address block in which your ip address exists.
Solution to your issue:
In this case, I don't think the issue is with your PTR records, but rather with the way Cloudflare's Reverse Proxy system works. If your domain is using Cloudflare's proxy, then it's not actually pointing at your server anymore.
The solution is to turn off Cloudflare's proxying for the domains/subdomains where mail servers are located.
Answer to your question:
The DNS and rDNS queries do occur separately, but the DNS query occurs first in order to determine which IP to query for rDNS/PTR. In this instance, Cloudflare is essentially replacing your IP in the DNS response with their own, which is what's causing the issue.
For example, if you have mydomain.example
, and your Cloudflare DNS settings are an A record pointing to 192.0.2.1
with Proxy enabled, then the domain is actually pointing to Cloudflare's servers, which are then forwarding traffic to yours. However, this means that the PTR lookup is going to query Cloudflare's servers rather than yours, which will report no record present:
❯ dig proxied.mydomain.example # Remote mail server queries a proxied domain's A record.
;; QUESTION SECTION:
;proxied.mydomain.example. IN A
;; ANSWER SECTION:
proxied.mydomain.example. 300 IN A 104.21.30.252 # Cloudflare Server
proxied.mydomain.example. 300 IN A 172.67.174.61 # Cloudflare Server
❯ dig -x 104.21.30.252 # Remote mail server checks PTR/rDNS of both IPs (This is from a real Cloudflare IP)
;; QUESTION SECTION:
;252.30.21.104.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
21.104.in-addr.arpa. 3600 IN SOA cruz.ns.cloudflare.com. dns.cloudflare.com. 2034580120 10000 2400 604800 3600
# Server returns no PTR record, because it's Cloudflare's server being queried.
If you disable Cloudflare's proxying for the mail server DNS record, it looks more like this:
❯ dig unproxied.mydomain.example # Remote mail server queries a non-proxied domain's A record.
;; QUESTION SECTION:
;unproxied.mydomain.example. IN A
;; ANSWER SECTION:
unproxied.mydomain.example. 300 IN A 192.0.2.1 # DNS server returns your server's IP.
❯ dig -x 192.0.2.1 # Mail server queries YOUR server for PTR.
;; QUESTION SECTION:
;117.8.209.209.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.8.209.209.in-addr.arpa. 86400 IN PTR unproxied.mydomain.example.
# PTR returns the correct value.
(Please note that I've skipped the MX/SPF/DKIM/DMARC lookups in this response, because as far as I'm aware Cloudflare doesn't mess with those unless you point your record to a proxied A/AAAA/CNAME record.)