How to find dns entries for IP-address

Question

I am trying to do a reverse DNS lookup (find DNS-entries for a specific IP-address). A search gave me the answer to use dig and nslookup, but these tools do not work for me. E.g. I ping superuser.com, but none of the commands give me the dnsname. How can I achieve this?

$ ping superuser.com -c 1
PING superuser.com (151.101.65.69) 56(84) bytes of data.
64 bytes from 151.101.65.69 (151.101.65.69): icmp_seq=1 ttl=58 time=20.5 ms

--- superuser.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 20.492/20.492/20.492/0.000 ms
$ dig 151.101.65.69

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> 151.101.65.69
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6817
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;151.101.65.69.         IN  A

;; AUTHORITY SECTION:
.           3007    IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2021092000 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Mon Sep 20 19:14:32 CEST 2021
;; MSG SIZE  rcvd: 117

$ nslookup 151.101.65.69
** server can't find 69.65.101.151.in-addr.arpa: NXDOMAIN

$ host 151.101.65.69
Host 69.65.101.151.in-addr.arpa. not found: 3(NXDOMAIN)
$ dig -x 151.101.65.69

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -x 151.101.65.69
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1600
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;69.65.101.151.in-addr.arpa.    IN  PTR

;; AUTHORITY SECTION:
151.in-addr.arpa.   2244    IN  SOA pri.authdns.ripe.net. dns.ripe.net. 1632153065 3600 600 864000 3600

;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Mon Sep 20 19:14:49 CEST 2021
;; MSG SIZE  rcvd: 115

Does https://superuser.com/questions/339380/how-to-list-all-dns-names-pointing-to-an-ip answer your question? — u1686_grawity, Sep 20 '21 at 17:30
The link given by @user1686 should answer your question. Just be aware that `PTR` records are optional and it is up the DNS domain administrator to enter them. — doneal24, Sep 20 '21 at 20:32

harrymc · Answer 1 · 2021-09-20T20:00:56.070

0

You are asking how to do Reverse DNS lookup:

a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name.[1] The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables.

That's the next question: Where would you search for this information. There are many Domain name registrars, each keeping its own list of domains and assigned IPs. Some high-level registrars exist, but they do not contain all the data of the lower-level registrars. The real data is kept in DNS servers.

The tools normally only search these high-level registrars or DNS servers, where most of the domains are not found. There is not one database that contains all the domains and all the IPs of the whole world.

The opposite DNS, converting a domain-name to IP, works by repeatedly descending registrar levels until the name is found.

A request to convert an IP to a domain name would need to query all the registrars and DNS servers on our planet, which is physically impossible. This search is called "whois" and it only rarely is able to pinpoint the domain.

edited Sep 20 '21 at 20:00

answered Sep 20 '21 at 19:54

harrymc

455,459
31
526
924

1

Reverse lookups have been around for ages and can be easily done when a DNS entry has a `PTR` record. One use historically has been a reverse lookup during an SMTP transaction to confirm that the host is really who its claiming to be. – doneal24 Sep 20 '21 at 20:02
@doneal24: Not contesting that, but where would you find that DNS entry working from its IP? – harrymc Sep 20 '21 at 20:04
`host arstechnica.com` returns (among others) IP 18.116.2.221. `host 18.116.2.221` returns a domain name that points to an Amzaon AWS instance. It is up to the domain DNS administrator to set up the `PTR` records. – doneal24 Sep 20 '21 at 20:09
`nslookup -type=ptr 221.3.116.18.in-addr.arpa` also works well. – doneal24 Sep 20 '21 at 20:10
`arpa` is just one internet registry. – harrymc Sep 21 '21 at 07:33
I don't get your point. You can run a reverse lookup on any system that has a `PTR` record with the commands I've given. – doneal24 Sep 21 '21 at 11:54
As one who has tried many whois searches, trying to track my spammers, this is far from being that simple. – harrymc Sep 21 '21 at 12:23
Except it has worked that way for decades and been implemented reliably in many software packages. `whois` is the wrong tool. – doneal24 Sep 21 '21 at 12:26
I have tried so many tools and websites and toolboxes. It's a very complex subject. Let's stop here - this question is very broad and so my answer is correspondingly vague. It would take a book to really answer it. – harrymc Sep 21 '21 at 12:29
@harrymc Thank you very much for your response. It helped me to understand the problem. I will upvote your answer as soon as I have enough reputation. – Alai Sep 23 '21 at 14:56

score 0 · Accepted Answer · answered Sep 21 '21 at 13:39

You cant achieve it when the responsible ISP hasn't done its homework.

There is a difference between a forward domain and a rewerse "in-addr.arpa" domain.

In the first case a name is resolved to a IP address. This is controlled by the domain owner.
In the second case a IP address is resolved into a name. This is controlled by the IP address owner (normally a ISP) and can be delegated to a customer, but that's the IP address owners perogative.

If you take another example dns.google.com. In this example does the domain google.com and the rewerse domain 8.8.8.8.in-addr.arpa have the same name.

ping dns.google.com -4
PING dns.google.com (8.8.8.8) 56(84) bytes of data.
64 bytes from dns.google (8.8.8.8): icmp_seq=1 ttl=59 time=3.01 ms

and then try with nslookup:

nslookup 8.8.8.8
8.8.8.8.in-addr.arpa    name = dns.google.

More common is the the domain (a random example) e-opt.com hasn't the control over 3.97.36.24 24.36.97.3.in-addr.arpa name.

ping www.e-opt.com
PING www.e-opt.com (3.97.36.24) 56(84) bytes of data.

and then try with nslookup:

nslookup 3.97.36.24
24.36.97.3.in-addr.arpa name = ec2-3-97-36-24.ca-central-1.compute.amazonaws.com.

How to find dns entries for IP-address

2 Answers2