OpenBSD Amsterdam Logo
790 VMs deployed 🐡

PTR / Reverse DNS

The service is provided "as is" and the operator disclaims all warranties with regard to this service including all implied warranties of merchantability and fitness. In no event shall the operator be liable for any special, direct, indirect, or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of this service.

We are providing a way for you to manage your own PTR records from within your VM. The only thing you have to do is make an http request towards our ptr daemon.

This needs to be done from within the VM for which you want to request the PTR.

To get started you need to request a token.

ptr4.openbsd.amsterdam/token

NOTE: You can do this with any capable http client, wget or curl as well. We use ftp(1) in our examples.

As a response you receive the token you can use for the subsequent requests. The token will be valid for 5 minutes.

There is a cronjob running every 60 seconds for the requests to be processed

vmXX$ ftp -MVo- http://ptr4.openbsd.amsterdam/token
1574bdb75c78a6fd2251d61e29935146201319
vmXX$
vmXX$ ftp -MVo- http://ptr6.openbsd.amsterdam/token
1574bdb75c78a6fd2251d61e29935146201319
vmXX$

After you received the token you can request a PTR record by including the token in the request.

ptr4.openbsd.amsterdam/<token>/<fqdn>

For example for a PTR for your IPv4 address you can use:

vmXX$ ftp -MVo- http://ptr4.openbsd.amsterdam/1574bdb75c78a6fd2251d61e29935146201319/vmxx.example.com
Received PTR [XXX.XXX.XXX.XXX -> vmxx.example.com] will be processed asap.
vmXX$

And for your IPv6 address it would be:

vmXX$ ftp -MVo- http://ptr6.openbsd.amsterdam/1574bdb75c78a6fd2251d61e29935146201319/vmxx.example.com
Received PTR [XXXX:XXXX:XXXX:XXX::XXX -> vmxx.example.com] will be processed asap.
vmXX$

You can also use the token in an environment variable.

vmXX$ export TOKEN=1574bdb75c78a6fd2251d61e29935146201319
vmXX$ ftp -MVo- http://ptr4.openbsd.amsterdam/${TOKEN}/vmxx.example.com
Received PTR [XXX.XXX.XXX.XXX -> vmxx.example.com] will be processed asap.
vmXX$
vmXX$ unset TOKEN

And you can also reference your hostname which is already set, and issue the v4 and v6 request with one command.

vmXX$ export TOKEN=$(ftp -MVo- http://ptr4.openbsd.amsterdam/token | tr -d '\r')
vmXX$ ftp -MVo- http://ptr{4,6}.openbsd.amsterdam/${TOKEN}/$(hostname)
Received PTR [XXX.XXX.XXX.XXX -> vmxx.example.com] will be processed asap.
Received PTR [XXXX:XXXX:XXXX:XXX::XXX -> vmxx.example.com] will be processed asap.
vmXX$
vmXX$ unset TOKEN

Protect your PTR

When you are running shared services on your VM, multiple users, wireguard or others you might want to protect any futher changes to your PTR.

Once you have set your PTR you can block any further changes with

ptr4.openbsd.amsterdam/protect

This will add your IP to a protected pf list.

vmXX$ ftp -MVo- http://ptr{4,6}.openbsd.amsterdam/protect
Received [XXX.XXX.XXX.XXX -> protect] 1/1 addresses added.
Received [XXXX:XXXX:XXXX:XXX::XXX -> protect] 1/1 addresses added.
vmXX$

If the IP address is already on the list you will see that no IP is added.

vmXX$ ftp -MVo- http://ptr{4,6}.openbsd.amsterdam/protect
Received [XXX.XXX.XXX.XXX -> protect] 0/1 addresses added.
Received [XXXX:XXXX:XXXX:XXX::XXX -> protect] 0/1 addresses added.
vmXX$

Requesting a token from a protected IP address will result in a “Bad Request”.

vmXX$ ftp -MVo- http://ptr4.openbsd.amsterdam/token
ftp: Error retrieving http://ptr4.openbsd.amsterdam/token: 400 Bad Request
vmXX$

To be able to set your PTR again please contact us.

Block access to the PTR daemon

When you are running services for “untrusted” users you might want to block access to the PTR daemon from your VM. You can do this by adding the following line to your pf.conf.

block out quick on egress proto tcp from (egress) to { 46.23.80.20 2a03:6000:800::20 } port 80

Return Codes

400 Bad Request the hostname you provided is not allowed.
403 Forbidden the IP address you are coming from is not within the allowed IP space.
408 Request Timeout the token expired.