Recon: Find host names with Reverse DNS Lookups
A reverse DNS record (or
PTR record) is simply an entry that resolves an IP address back to a host name. Most people are aware of the forward lookup, also known as an
A record, that finds an IP address from a host name so an Internet service is able to be accessed.
When an attacker or penetration tester assesses an organization, they will commonly attempt to map the footprint of the organization to find all the weak points to attack. By gathering a list of possible host names, IP addresses, and IP network blocks that are related to the targeted organization, an attack surface can be developed. With this reverse DNS tool, you cannot only resolve single IP addresses but also a range of IP addresses or search for all the reverse DNS containing a domain name.
Perform a query using either a single IP
220.127.116.11 , a range such as
127.0.0.1-10, or CIDR notation
127.0.0.1/27. You are also able to search for hostnames such as
example.com. Reverse DNS resolution of a range of IP addresses is limited to 254 addresses (a
/24 or smaller subnet).
Reverse DNS Search Limits
|Queries / day||Max # of Results|
|Membership||# based on Plan||500'000|
With a membership get up to half a million results from a single query. A gold mine of data for security analysts, network defenders and other cyber security professionals.
Reverse DNS search
Use the reverse DNS search to find all the reverse DNS entries for a particular organisation. Simply enter an organisations domain name
example.com to get the results. Currently, the results are limited to a maximum of 5000 results - this will typically only be an issue for big Internet services companies and ISP's.
Much of the data used for the hostname search comes from the excellent scans.io project that is run out of the Rapid7 labs. The database of reverse DNS entries covers the full IPv4 address space. This equates to 43GB of plain text DNS PTR records.
Where are Reverse DNS entries used
Many Internet services, network tools, and server logging will use reverse DNS to populate IP address fields with a more human readable hostname. An example of this can be seen in the output of a traceroute tool.
Configuring Reverse DNS
Reverse DNS is configured and controlled by the IP block owners. Often the reverse DNS host name is configured to indicate the netblock owner, such as ISP or web hosting provider.
If you are hosting a server with a dedicated IP address and would like to have reverse DNS configured (required if you are running an Internet mail server), the PTR record will usually be configured through your IP block hosting provider (usually the server hosting company).
Reverse DNS API
In addition to the web form you can also quickly access the reverse DNS tool using the API. The output will be in plain text and will include the IP address and the reverse DNS host name with a
space separating them. Access the API using a web
curl or any common scripting language.
This query will display the reverse DNS from the public DNS server provided by Google (18.104.22.168).
The API is simple to use and aims to be a quick reference tool; like all our IP Tools there is a limit of 50 queries per day or you can increase the daily quota with a Membership. For those who need to send more packets HackerTarget has Enterprise Plans.
Have you seen our other Free IP and Network Testing tools.
Discover. Explore. Learn.
Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.