Reverse DNS Lookup How-To on Linux, macOS, and Windows

The reverse DNS lookup command translates an IP address into a domain name. This process is crucial for network diagnostics, email server validation, and security investigations. Understanding which domain is associated with a specific IP address helps identify hosts, verify legitimate services, and detect suspicious activity. You will identify the domain name associated with a given IP address.

• A computer with a command-line interface (Linux, macOS, or Windows).
• Internet connectivity to query DNS servers.
• Basic understanding of IP addresses and domain names.

Executing the reverse dns lookup command

This section details how to perform the reverse dns lookup command using various utilities. Each tool offers slightly different syntax and output, but all achieve the same goal. We will use the IP address 8.8.8.8 for demonstration. This IP belongs to Google's Public DNS service.

Using dig for reverse lookups

The dig utility is a flexible tool for querying DNS name servers. It is commonly available on Linux and macOS systems. To perform a reverse DNS lookup, you specify the IP address and request a PTR (Pointer) record. First, you need to invert the IP address octets. For 8.8.8.8, this becomes 8.8.8.8.in-addr.arpa. This special domain is used for reverse lookups.

dig -x 8.8.8.8

This command uses the -x option, which is shorthand for performing a reverse lookup on the specified IP. Expected output:

; <<>> DiG 9.16.1-Ubuntu <<>> -x 8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa. IN PTR

;; ANSWER SECTION:
8.8.8.8.in-addr.arpa. 21599 IN PTR dns.google.

;; Query time: 27 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 21 10:30:00 UTC 2024
;; MSG SIZE rcvd: 67

Interpreting dig output

The most important part of the dig output is the ANSWER SECTION. Here, you see the PTR record.

• 8.8.8.8.in-addr.arpa.: This is the inverted IP address in the special reverse DNS zone.
• 21599 IN PTR: 21599 is the Time To Live (TTL) in seconds. IN stands for Internet class. PTR indicates a pointer record.
• dns.google.: This is the domain name associated with the IP address 8.8.8.8.

The dig command provides extensive details, useful for deep DNS diagnostics. For a simpler DNS lookup, including reverse lookups, you can also use our DNS lookup tool which offers a web-based interface.

Using nslookup for reverse lookups

nslookup is another common utility, available on Windows, Linux, and macOS. It can operate in interactive or non-interactive mode. For a quick reverse lookup, non-interactive mode is sufficient.

nslookup 8.8.8.8

This command directly queries the default DNS server for the PTR record of 8.8.8.8. Expected output:

Server:  UnKnown
Address:  192.168.1.1

Name:    dns.google
Address:  8.8.8.8

In this example, 192.168.1.1 is the local router acting as the DNS resolver. The important information is under Name: and Address:.

Interpreting nslookup output

The nslookup output is generally more concise than dig.

• Server: UnKnown and Address: 192.168.1.1: These lines show the DNS server that processed your query. "UnKnown" often appears if the local resolver's reverse DNS entry is not configured or publicly resolvable.
• Name: dns.google: This is the resolved domain name corresponding to the IP address.
• Address: 8.8.8.8: This confirms the IP address that was queried.

The `nslookup` utility offers quick insights. Security professionals often combine this with other reconnaissance tools, like a free port scanner, to gather a comprehensive view of an IP's services and associated domains.

Using host for reverse lookups

The `host` utility provides a simpler way to perform the reverse dns lookup command. It is typically found on Linux and macOS. It is designed for straightforward DNS lookups.

host 8.8.8.8

This command automatically detects that an IP address is provided and performs a reverse lookup. Expected output:

8.8.8.8.in-addr.arpa domain name pointer dns.google.

Interpreting host output

The `host` command delivers the most direct output for a reverse lookup.

• 8.8.8.8.in-addr.arpa: The standard reverse lookup format.
• domain name pointer dns.google.: This clearly states that the inverted IP points to the domain dns.google.

This reverse dns lookup command is essential for security analysis. For more details on standard DNS lookups, refer to our guide: DNS Lookup Command A Step-by-Step Guide.

Performing a reverse DNS lookup on Windows with PowerShell

Windows environments utilize PowerShell for advanced network diagnostics. The `Resolve-DnsName` cmdlet is the modern way to perform DNS lookups, including reverse lookups.

Resolve-DnsName -Name 8.8.8.8 -Type PTR

Here, `-Name` specifies the IP address, and `-Type PTR` explicitly requests a PTR record. Expected output:

Name                          Type   TTL   Section    NameHost
----                          ----   ---   -------    --------
8.8.8.8.in-addr.arpa          PTR    21599 Answer     dns.google

Understanding PowerShell output

The PowerShell output is structured into columns, making it easy to read.

• Name: The inverted IP address used for the query.
• Type: Confirms it's a PTR record.
• TTL: The Time To Live for the record.
• Section: Indicates the answer section of the DNS response.
• NameHost: This is the resolved domain name, `dns.google` in this case.

PowerShell provides robust scripting capabilities. You can integrate this cmdlet into larger scripts for automated network reconnaissance or threat hunting. Consider combining this with data from a free website vulnerability scanner for a holistic view of a target's online presence.

Verification steps

After performing a reverse DNS lookup, you should verify the information. A common verification method is to perform a forward DNS lookup on the domain name you found. This ensures consistency between forward and reverse records.

1. Perform a forward DNS lookup: Use the domain name obtained from the reverse lookup (e.g., dns.google) to find its IP address.

   dig dns.google A

   Expected output (excerpt):

   ;; ANSWER SECTION:
   dns.google.		21599	IN	A	8.8.8.8
   

   The `ANSWER SECTION` shows that dns.google resolves to 8.8.8.8, matching our initial IP. This confirms the DNS records are consistent.

2. Check multiple DNS resolvers: Querying different DNS servers can confirm the record's global consistency. Specify a different DNS server in your `dig` or `nslookup` command.

   dig @1.1.1.1 -x 8.8.8.8

   This command queries Cloudflare's 1.1.1.1 DNS server for the reverse lookup of 8.8.8.8. Consistent results across multiple resolvers increase confidence in the data.

3. Consult external tools: Use online services like Zondex for broader internet-wide scanning and reconnaissance. These tools can provide additional context or confirm your findings from a different vantage point.

Troubleshooting common issues

Reverse DNS lookups can fail or return unexpected results for several reasons. Understanding these issues helps in effective diagnosis.

No PTR record found

This is the most frequent issue. Not all IP addresses have a corresponding PTR record.

dig -x 192.0.2.1

Expected output (excerpt):

;; QUESTION SECTION:
;1.2.0.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue May 21 10:30:00 UTC 2024
;; MSG SIZE rcvd: 46

Notice the empty `ANSWER SECTION`. This means no PTR record exists for `192.0.2.1`. Solution: This is not an error in your command, but rather an absence of the record itself. Many IP addresses, especially those dynamically assigned, for internal networks, or without a public-facing service needing a reverse record, will not have one. Accept this as a valid result.

DNS server timeout or refusal

Your DNS query might time out or be refused by the DNS server.

dig -x 8.8.8.8 @10.0.0.1

If `10.0.0.1` is an unreachable or non-responsive DNS server, you might see:

;; connection timed out; no servers could be reached

Solution:

• Check your network connectivity. Ensure you have internet access and your local DNS resolver is functioning.
• Specify a known public DNS server (e.g., `8.8.8.8`, `1.1.1.1`) in your command using `@server_ip`.
• Verify your firewall rules are not blocking outbound UDP port 53 traffic, which DNS uses.

Incorrect IP address format

Supplying an invalid IP address will result in an error or a malformed query.

dig -x 8.8.8

Expected output:

;; Warning: Invalid IP address 8.8.8

Solution: Always provide a fully qualified IPv4 (e.g., `192.168.1.1`) or IPv6 address. The `dig -x` option expects a complete IP.

Firewall restrictions

Local or network firewalls can block DNS queries, preventing successful lookups. If your command-line utility hangs or returns a timeout error even with a valid DNS server, a firewall might be interfering. Solution:

• Temporarily disable your local firewall (if safe and permitted) to test.
• Review your network firewall rules to ensure outbound UDP port 53 traffic is allowed.
• If working within a corporate network, contact your network administrator.