How to Perform Reverse DNS Lookup

Written by ibrahim on March 31, 2011
[-]  TEXT SIZE  [+]

Everyone knows that DNS is used to translate hostnames to IP addresses, but do you know that DNS can also be used to retrieve the domain name when the IP address is known?

I am not a DNS guru, but I do know that the ping command in Windows can be used to resolve IP addresses to hostnames by using the -a option.

C:\Users\ibrahim>ping -a 8.8.4.4

Pinging google-public-dns-b.google.com [8.8.4.4] with 32 bytes of data:
Reply from 8.8.4.4: bytes=32 time=31ms TTL=50
Reply from 8.8.4.4: bytes=32 time=22ms TTL=53
Reply from 8.8.4.4: bytes=32 time=24ms TTL=50
Reply from 8.8.4.4: bytes=32 time=23ms TTL=50

Ping statistics for 8.8.4.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 31ms, Average = 25ms

I had no clue how the reverse DNS query was performed by the ping command. To find out, I decided to analyse the DNS lookup query by using Wireshark, a network protocol analyzer. While trying to get the DNS name of the IP address of 8.8.4.4 (one of Google’s public DNS servers), I performed a packet capture.

wireshark reverse dns packet capture

After some reading up, I managed to find out how reverse DNS works.

  1. The IP address is first reversed and the string “.in-addr.arpa” is added to the end of the IP address. So if the IP address is 8.8.4.4, then the query becomes “4.4.8.8.in-addr.arpa
  2. The DNS query type is PTR
  3. The DNS query class is IN

Now we have the necessary info to perform reverse DNS lookup using nslookup, a DNS query tool.

C:\Users\ibrahim>nslookup
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> set type=PTR
> set class=IN
> 4.4.8.8.in-addr.arpa
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
4.4.8.8.in-addr.arpa    name = google-public-dns-b.google.com

Is it too complicated? Fret not! There is another simpler way to do it using nslookup! Here you go:

C:\Users\ibrahim>nslookup 8.8.4.4
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    google-public-dns-b.google.com
Address:  8.8.4.4

Tags: , , , ,
Related Articles
Random Articles
Comments
No Comments Yet

You can be the first to comment!

Leave a Comment





XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>