tips tools reconnaissance

SecurityTrails Blog · Sep 19 · SecurityTrails team

What is Reverse DNS? Top Tools for Performing a Reverse DNS Lookup

Reading time: 9 minutes

In our blog we’ve been writing a lot about IP and WHOIS lookup for both domains and subdomains, showing how easy it is to fetch data when it comes to IP addresses and domain names. But there was a missing link in this chain… and that is the reverse DNS.

When it comes to cybersecurity investigations, every single point in your attack surface area counts, and that includes the so-called rDNS or reverse DNS records. which is often a forgotten key by new penetration testers and researchers.

Today we’re going to learn more about reverse DNS, what it is, what it’s used for, how to perform quick rDNS lookups from the terminal using several domain tools, as well as mass reverse DNS scanning with web-based utilities.

What is reverse DNS (rDNS)?

We all know what the DNS is, and how it works. But even some IT nerds occasionally forget about rDNS, and still others, who’ve just joined the club, have never even heard of it.

In plain English, reverse DNS, or rDNS, does the opposite of the traditional DNS. That is, instead of resolving a domain name to an IP, it resolves an IP to a host name.

The rDNS resolution is a completely separate mechanism from the regular DNS resolution. For example, if the domain “yourcompany.com” points to IP 1.2.3.4 (dummy IP address), it doesn’t necessarily mean that the reverse resolution for the IP is 1.2.3.4.

To store rDNS records, there’s a specific type of DNS record called the PTR record. This record is also known as the “resource record” (RR), and specifies the IP addresses of all systems using an inverted notation.

This rDNS configuration allows you to search for an IP in the DNS, since the inaddr.arpa domain is added to the inverted IP notation, turning the IP into a domain name.

For example: in order to convert the IP address 1.2.3.4 into a PTR record, we need to invert the IP and add the domain inaddr.arpa which results in the following record: 4.3.2.1.in-addr.arpa.

Classic operation of the DNS system is to translate or resolve IP addresses into names, but some scenarios call for the reverse, and that means translating names of internet connected devices from their IP addresses. That’s what is called rDNS, or reverse resolution.

Do all types of IP addresses support rDNS? Absolutely, both IPv4 and IPv6 support rDNS lookups. In the case of IPv4 based addresses, lookups use the special domain in-addr.arpa, while for IPv6 rDNS lookup the special domain ip6.arpa is used.

Reverse DNS resolution (rDNS)

Do I need rDNS? Current reverse DNS usage

How important is rDNS then? Can my online business live without it?

The answer is yes…and no. At the same time.

If you don’t have an rDNS setup for your IT infrastructure, it’ll work anyway. It’s not a strict requirement. However, some things may not work as expected, or may cause difficulty. Keep reading.

When is rDNS useful?

  • If you want to prevent email issues. If you’re hosting your own email server, rDNS becomes pretty useful for your outgoing emails. An rDNS record allows tracing the origin of the email, increasing the credibility of the email server, and becoming a trusted source for many popular email providers such as Gmail, Yahoo, Hotmail, and others. Some incoming email servers won’t even let your email arrive at their email boxes if you don’t have an rDNS record setup. So if you’re using your own mail server, you’ll want to keep it in mind.
  • When you’re performing a cybercrime investigation. Another popular use of reverse DNS records is to identify potential threats and mass scanners throughout the Internet. By using both security API endpoints, or web-based products like SurfaceBrowser, you or your team can easily identify authors and networks behind mass scanning, malware spreading or other types of malicious activities — just as Troy Mursch revealed in our blog post How to use reverse DNS records to identify mass scanners.

How can I perform a reverse DNS lookup?

Performing a reverse DNS Lookup isn’t rocket science, but there are many methods and rDNS lookup tools in use for doing the opposite of a normal DNS check: resolving a given IP to host.

Some of these web-based utilities are known as reverse DNS tools, and they all do the same thing, query a given IP to resolve a hostname. Let’s look at some terminal-based examples first.

Dig

The powerful dig command comes to the rescue when we need to perform a reverse DNS lookup. By using the -x option, you can perform a simple reverse lookup to map address to names in mere seconds.

This dig parameter will automatically perform a lookup for the traditional IP address name such as 94.2.0.192.in-addr.arpa, and set the query type and class to PTR and IN respectively, for the IPv6 addresses. The rDNS lookup is performed using nibble format under the IP6.ARPA domain.

Output example:

[research@securitytrails ~]$ dig -x 1.1.1.1
; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> -x 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56773
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1.1.1.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.1.1.1.in-addr.arpa. 1096 IN PTR one.one.one.one.
;; AUTHORITY SECTION:
1.1.1.in-addr.arpa. 69422 IN NS ns3.cloudflare.com.
1.1.1.in-addr.arpa. 69422 IN NS ns7.cloudflare.com.
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 86027 IN A 162.159.7.226
ns3.cloudflare.com. 86027 IN A 162.159.0.33
ns3.cloudflare.com. 86027 IN AAAA 2400:cb00:2049:1::a29f:21
ns3.cloudflare.com. 86027 IN AAAA 2400:cb00:2049:1::a29f:7e2
ns7.cloudflare.com. 203 IN A 162.159.6.6
ns7.cloudflare.com. 203 IN A 162.159.4.8
;; Query time: 13 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Sep 18 11:20:01 -03 2019
;; MSG SIZE rcvd: 248
[research@securitytrails ~]

The interesting part is this:

1.1.1.1.in-addr.arpa. 1096 IN PTR one.one.one.one.

You can grep the output for a clearer result.

Host

The host command is probably the most popular command when it comes to performing a quick rDNS resolution from the terminal. The syntax is fairly easy:

host XX.XX.XX.XX

Where XX.XX.XX.XX is the real IP address. Let’s look at some examples.

Cloudflare comes first with the reverse DNS resolution query against 1.1.1.1:

[research@securitytrails ~]$ host 1.1.1.1
1.1.1.1.in-addr.arpa domain name pointer 1.1.1.1.in-addr.arpa.
[research@securitytrails ~]$

The same applies for any other IP address, Google’s DNS server for example:

[research@securitytrails ~]$ host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.

Or our own securitytrails.com IP address:

[research@securitytrails ~]$ host 151.139.243.5
Host 5.243.139.151.in-addr.arpa. not found: 3(NXDOMAIN)
[research@securitytrails ~]

That’s right, for our IP address we don’t have any PTR record setup yet, that’s another possibility you’ll find on certain IP addresses.

G-Suite Toolbox Dig

Some time ago, Google released a very useful resource called G-Suite dig, an online utility that lets you perform any type of DNS-based query from an easy yet sophisticated web-interface.

In this case, choose the ‘PTR’ record, type your IP address and get the full rDNS result in seconds.

A drawback with this utility is that it only allows you to fetch the results for a single IP address, which isn’t handy when you need to perform a mass rDNS scanning.

G-Suite Dig for reverse DNS resolution tests

Reverse DNS API endpoint

Using our powerful API is another great source to query our passive DNS database for any company PTR records.

The “/v1/ips/list” endpoint allows you to query the apex domain (in this case cloudflare.com), so you can easily discover all known IP addresses associated to the Cloudflare.com domain name.

Let’s use a quick python script to see what this looks like:

import requests
url = "https://api.securitytrails.com/v1/ips/list"
querystring = {"apikey":"your_api_key_here","page":"1"}
payload = "{\"query\":\"ptr_part = 'cloudflare.com'\"}"
response = requests.request("POST", url, data=payload, params=querystring)
print(response.text)

Output example:

rDNS API query result

In addition to the PTR records, you’ll also find the open ports for each of the hosts returned by our API service.

Thanks to our fully HTTP-based API, you can also perform a simple CURL query from the command line, or use any other popular languages including Node.js, JavaScript, Ruby, Go and PHP.

SurfaceBrowser Massive rDNS Exploration

When we say SurfaceBrower is the perfect all-in-one attack surface exploration tool we really mean it. Apart from all the DNS zone, domain names, SSL and open ports data it features, SurfaceBrowser can be used as a massive reverse DNS lookup tool.

To explore the rDNS data from any company, just launch SurfaceBrowser from your account console at: https://securitytrails.com/app/sb/

Choose any domain name you wish to explore, then click on the ‘Reverse DNS’ option, as shown below:

As you may have noticed, rDNS record resolution is loaded instantly thanks to our passive DNS technology, letting you explore all the associated rDNS records pointing to that organization.

Reverse DNS lookup with SurfaceBrowser

The first thing you’ll see when you load the PTR records area is a Summary by Open Ports, and a Summary by Similar Records, letting you easily filter all current rDNS information to match your needs.

In this case, exploring the fbi.gov domain name revealed 289 records. Each one can be explored in the results area, allowing you to explore by PTR record, Open Ports and number of associated IP addresses. Take a look:

SurfaceBrowser fbi.gov

If you need to find the associated IP addresses pointing to any PTR record, just click the number+ for immediate results::

SurfaceBrowser associated IPs

That second PTR data screen shows you the total number of IP addresses, as well as where they’re hosted and the current open ports found for each one.

fbi.gov is a “small” organization when it comes to PTR records, even though we found a lot of useful information. But here’s what happens when you explore a big online company like Google:

SurfaceBrowser Google search

For cache.google.com we found around 94k IP addresses associated with that PTR record. Imagine performing this lookup using traditional reverse DNS tools. It could take you forever!

Final thoughts

Today we learned that reverse DNS is not only a great way to improve your cybersecurity investigations, but also to keep your email in tip-top shape by using the right PTR records.

Performing manual rDNS lookups is fine when you’re focusing on isolated cases. However, when you actually need to investigate a hundred or a thousand IP addresses, this becomes a really slow process that can literally take you hours, or even days in some cases.


You deserve to work quickly and efficiently with the most expert tools available. Test SurfaceBrowser™ and get started on the next level of reverse DNS intelligence, with results that appear within seconds. Access our massive rDNS discovery service, book a demo with our Sales team today!