How to find all hostnames in DNS attached to one IP?

domain-name-system virtualhost domain nslookup

Not really, no. This is all about the difference between forward and reverse DNS lookups.

A forward lookup is the standard name->IP lookup. So, you would have to know all the names in advance.

What you want is to do an IP->name lookup, but somehow get all the names you've applied in your Apache config and in DNS as A records (or CNAMES or whatever).

What you will probably find is that doing a reverse lookup (e.g. dig @nameserver $ip -x) will return the hostname given to that IP by the people who own that netblock, which could be your ISP. It might have a name like 45-23-45-231.big-isp.com, which doesn't mean a whole lot to you. And crucially, there is only one reverse record, but potentially many forward ones.

I suppose it boils down to the question - how does the reverse zone know about any of the records in the forward zone? In most setups, the forward zone is made available to the customer to make changes to, but the reverse zone is maintained by the owners of the netblock. The two systems don't need to know anything about each other to function.


It's not possible to do it with the DNS protocol itself, because typically there's only one PTR record for each IP address, even though there may be many A records pointing at that IP address.

However some companies (e.g. http://www.ip-adress.com/) have managed to compile databases containing what you're after by storing the results of a whole load of DNS lookups and then offering a reverse-query into their own databases.

Those databases can't be definitive though, they can't guarantee to know about every possible domain that might happen to point at that IP - they can only record the DNS details for the domain names that they've actually looked up.


The only way to do this, is to have content data of domain name you want to inspect.

With this content you can devellop a recursive script to search hostname relative to your IP (recursive because of eventual CNAME to check).

To get data of some domain name partner, you can ask to be secondary and get DATA with a dig -t axfr.

Related

How can I get user name by user ID?
where can i find varnish log files? /var/log/varnish is empty
What value of thread_cache_size should I use?
Whitelist allowed IPs (in/out) using iptables
How can I modify a user’s PATH environment variable without logging out?
how to rename a VM using libvirt+KVM
Why does IPv6 use AAAA to represent its DNS records?
IPv6 intro for IPv4 admin [closed]
Is there any way to shrink qcow2 image without converting it raw?
Can a server certificate expire after its issuer?
Is there a difference between RAID 10 (1+0) and RAID 01 (0+1)? [duplicate]
Is anyone else using OpenBSD as a router in the enterprise? What hardware are you running it on? [closed]