Reverse DNS Lookup: How to Find All Hostnames Pointing to a Specific IP Address


1 views

When managing servers with multiple services (web, email, etc.), it's common to have numerous DNS records pointing to the same IP address. Apache VirtualHosts, Nginx server blocks, and other service configurations rely on this pattern. But how do we discover all domains resolving to our server?

A simple dig -x <IP> or nslookup <IP> only shows PTR records:

dig -x 192.0.2.1

;; ANSWER SECTION:
1.2.0.192.in-addr.arpa. 3600 IN PTR server1.example.com.

This reveals just one hostname - typically your server's main reverse DNS entry. It won't show all A/AAAA records pointing to that IP.

1. Using Passive DNS Databases

Third-party services aggregate DNS data over time:

curl "https://api.securitytrails.com/v1/history/<IP>/dns"

Popular options:

  • SecurityTrails
  • VirusTotal
  • WhoisXML API
  • Farsight DNSDB

2. Brute-force DNS Enumeration

For domains you suspect might point to your IP:

#!/bin/bash
for domain in $(cat domain_list.txt); do
  ip=$(dig +short $domain)
  [[ "$ip" == "192.0.2.1" ]] && echo "$domain"
done

3. Web Server Log Analysis

Your access logs contain Host headers from actual requests:

grep -Eo "Host: [^ ]+" access.log | sort | uniq

4. Certificate Transparency Logs

Find domains with valid SSL certificates:

curl "https://crt.sh/?q=192.0.2.1"

Python script using DNS python to periodically check:

import dns.resolver

TARGET_IP = "192.0.2.1"
KNOWN_DOMAINS = ["example.com", "test.org"]

def check_domain(domain):
    try:
        answers = dns.resolver.resolve(domain, 'A')
        for rdata in answers:
            if str(rdata) == TARGET_IP:
                return True
    except:
        return False
    return False

# Add your domain discovery logic here
new_domains = []
for domain in potential_domains:
    if check_domain(domain) and domain not in KNOWN_DOMAINS:
        new_domains.append(domain)

print("New domains found:", new_domains)
  • Rate limit your DNS queries
  • Respect robots.txt for web scraping
  • Check API terms of service for commercial databases
  • Some domains may use reverse proxies/CDNs

When running multiple services (web, email, etc.) on a single server with different domain names, administrators often need to identify all DNS records pointing to their IP address. This is particularly useful for:

  • Server migration planning
  • Security audits
  • Cleaning up obsolete configurations
  • Monitoring unauthorized usage

Standard DNS lookups resolve hostnames to IP addresses (A/AAAA records). The reverse process - finding hostnames from an IP - requires PTR records in the reverse DNS zone. However, this only shows intentionally configured reverse DNS, not all forward records.

1. Using dig for Reverse DNS Lookup

dig -x 192.0.2.1 +short
# Output might show the primary PTR record if configured

2. Querying DNS Data Sources

Commercial and free DNS databases can provide more comprehensive results:

# Using the 'host' command with DNS brute-forcing
host -l example.com ns1.example.com | grep "has address" | grep "192.0.2.1"

3. Leveraging Web-Based Tools

Services like:

  • ViewDNS.info Reverse IP Lookup
  • Bing's "ip:" search operator
  • SecurityTrails API

4. Scanning Certificate Transparency Logs

Modern web servers using HTTPS leave traces in public CT logs:

# Example using crt.sh database
curl -s "https://crt.sh/?q=192.0.2.1" | grep -oP 'DNS:.*?<' | sort -u

Here's a Python script that combines multiple approaches:

import dns.reversename, dns.resolver
import requests
import re

def find_hostnames(ip):
    # Reverse DNS
    try:
        rev_name = dns.reversename.from_address(ip)
        ptr_records = dns.resolver.resolve(rev_name, "PTR")
        for ptr in ptr_records:
            print(f"PTR record: {ptr}")
    except Exception as e:
        print(f"Reverse DNS failed: {e}")

    # Web-based lookup
    try:
        response = requests.get(f"https://api.viewdns.info/reverseip/?host={ip}&apikey=YOUR_KEY")
        for match in re.finditer(r"<td>(.*?)</td>", response.text):
            print(f"ViewDNS result: {match.group(1)}")
    except Exception as e:
        print(f"API lookup failed: {e}")

find_hostnames("192.0.2.1")
  • Reverse DNS only shows intentionally configured PTR records
  • Many domains may share an IP behind CDNs or proxies
  • Some domains may use CNAME records pointing to your IP
  • Dynamic DNS services create constantly changing mappings

Regularly checking what domains point to your server helps with:

  • Identifying phishing sites impersonating your services
  • Detecting unauthorized usage of your infrastructure
  • Preparing for SSL certificate deployments
  • Maintaining clean server configurations