How to list all DNS names pointing to an IP?
I know – for example – that there are two DNS names for an IP. However nslookup ip only returns one record.
How do I get all the records for an IP?
DNS does not have a way to query names by value.1 When you run nslookup ip, you are simply querying for PTR records at a special reversed-ip.in-addr.arpa domain, not a magic inverse query.
Usually, when a host or address has many names, only one PTR record with the primary name is added – often for security/privacy reasons (in case of shared website hosting), or just because their owner didn't care enough. (Multiple PTR records are also confusing, as practically all programs will just pick one at random.)
The most authoritative source is therefore the IP address owner themselves. (But also note that the owner might not always know about other domains pointing to their address. In DNS, if someone owns a domain they can point it anywhere by simply adding A/AAAA records.)
Several sites exist which collect information about what websites are hosted at a particular IP address (such as yougetsignal), but they have no way of knowing 100% complete information. If there is no website hosted on a particular domain name, it won't be listed in such databases.
1 RFC 833 actually had a definition of inverse queries as an optional feature, using the IQUERY opcode; it was practically unused due to its limited usefulness. To quote the same document, "Inverse query mappings are not guaranteed to be unique or complete because the domain system does not have any internal mechanism for determining authority from resource records", so either way you'd still be unable to get information about domains hosted elsewhere than that particular name server.