Reverse IP Lookup to Find A Records at IP Address

Question

I want to know if there is a Linux terminal command for getting all the domains associated with an IP address. Or more correctly - find out all the sites hosted on that server IP and/or aall the A records associated with it.

I know dig, host and nslookup can provide some but nowhere close as many as online services such as:

• viewdns.info/reverseip/ <-- gets 49 domains
• yougetsignal.com/tools/web-sites-on-web-server/ <-- gets 2 domains

Both of the above provide many tens of more domains more than the above Linux commands which only get 1 each for a certain domain/IP I'm testing. I wanted to know what technologies they are using to get so many? Is it an API? Is it a different Linux command?

How do I find the most websites/A records hosted at an IP address using free technologies?

I've emailed the above webmasters for info on that specific tool on their sites but had no reply. Can anyone please help?

Answer 1

Not sure if there is any Linux command that can do this. But you can use public DNS database websites likes securitytrails and domaintools (feature available as premium afaik).

You can just replace the IP with the one that you have in this link:

https://securitytrails.com/list/ip/142.250.185.238

Answer 2

dig / host / nslookup just lookup data in DNS. Specifically, in your use case they will be querying a PTR record. A PTR record is defined to point to the canonical name for that IP.

In other words, in DNS multiple names can point to the same address, but when going in reverse, there can be only one name for an IP.

So how to get all those other names?

Essentially you need to look for clues using whatever means you have available. Examples:

• If a SSL certificate contains multiple names, you can use the data in the SubjectAlternateNames
• From whois data?
• If you have access to a feed to DNS activity (eg. sniffing DNS reponses), then you could use that to maintain a huge database of name-ip pairs found on the internet.

That last one isn't something you would do yourself, but I wonder if there are people/vendors (eg. honeypot / firewall vendors) that on-sell this data as a service...