Reverse DNS Explained: PTR Records, Shared Hosting & Security

What is Reverse DNS?

Reverse DNS (rDNS) is the process of resolving an IP address back to a hostname. While forward DNS maps domain names to IP addresses (example.com → 93.184.216.34), reverse DNS does the opposite: it takes an IP address and returns the associated hostname. This is accomplished through PTR (Pointer) records stored in a special DNS zone.

Reverse DNS serves a different purpose than a reverse IP lookup. A PTR query returns the single canonical hostname set by the IP owner, while a reverse IP lookup (like the one at reverseips.com) uses passive DNS data to find all domains that have ever pointed to that IP.

How PTR Records Work

PTR records live in the in-addr.arpa zone (for IPv4) or ip6.arpa zone (for IPv6). To look up the PTR record for the IP 93.184.216.34, the DNS resolver queries 34.216.184.93.in-addr.arpa — notice the octets are reversed. The response contains the hostname that the IP owner has configured.

Key characteristics of PTR records:

• Set by the IP owner – Unlike forward DNS records (controlled by the domain owner), PTR records are managed by whoever controls the IP block, typically the hosting provider or ISP.
• One-to-one mapping – A PTR record maps a single IP to a single hostname. Even if hundreds of domains share that IP, the PTR record points to just one name (often the server's own hostname).
• Used for email deliverability – Mail servers check PTR records to verify that sending IPs have valid reverse DNS. Emails from IPs without PTR records are often flagged as spam.
• Used in logging and diagnostics – Network tools like traceroute and server access logs perform reverse DNS to display human-readable hostnames instead of raw IP addresses.

Shared Hosting Architecture

Modern web hosting relies heavily on shared infrastructure. Understanding how multiple domains coexist on one IP is essential for security analysis and OSINT investigations.

Name-Based Virtual Hosting

The most common approach is name-based virtual hosting. When a browser connects to a web server, it sends the requested domain name in the HTTP Host header (for HTTP) or the SNI (Server Name Indication) extension (for HTTPS). The web server — Apache, Nginx, or similar — reads this value and serves content from the appropriate virtual host configuration. This allows a single server with a single IP to host thousands of websites.

SNI and HTTPS

Server Name Indication (SNI) extends TLS to include the target hostname in the initial handshake, before the encrypted connection is established. Without SNI, an HTTPS server with a single IP could only present one SSL certificate, limiting it to one domain. With SNI (supported by all modern browsers and servers), each virtual host can have its own certificate. This is how shared hosting providers offer HTTPS for all their customers without requiring dedicated IPs.

IP-Based Virtual Hosting

In IP-based hosting, each website gets its own dedicated IP address. The server uses the destination IP of the incoming connection to determine which site to serve. This was the norm before SNI became widespread and is still used in some cases, such as when clients that do not support SNI must be accommodated or when certain applications require a dedicated IP for compliance or technical reasons.

Security Implications of Shared Hosting

Knowing which domains share an IP is not just an academic exercise — it has real security consequences:

• Malicious neighbors – If your website shares a server with a site distributing malware or hosting phishing pages, your IP's reputation can be damaged. Email deliverability, SEO rankings, and even browser warnings can be affected.
• Cross-site attacks – On poorly configured shared hosting, vulnerabilities in one site can be leveraged to attack others on the same server. Symlink attacks, shared temp directories, and information disclosure through server-status pages are common vectors.
• IP-based blocking – When a shared IP is blocklisted due to abuse by one tenant, all sites on that IP suffer. Security teams use reverse IP lookups to assess whether an IP blocklist entry might cause collateral damage.
• Phishing infrastructure identification – Threat actors often spin up multiple phishing domains on the same cheap hosting. A reverse IP lookup reveals the full scope of a phishing campaign, helping defenders take down all malicious domains, not just the one that was reported.

How CDNs Affect Reverse IP Lookups

Content Delivery Networks like Cloudflare, AWS CloudFront, and Akamai add an important layer of complexity to reverse IP analysis:

• Shared anycast IPs – CDNs use anycast routing, where the same IP address is announced from multiple data centers worldwide. A single Cloudflare IP might serve thousands of unrelated websites. A reverse IP lookup on a CDN IP will return a massive list of domains that may have no actual connection to each other.
• Origin IP masking – When a site is behind a CDN, the domain's DNS records point to the CDN's IPs, not the origin server. Finding the real origin IP requires different techniques (SSL certificate analysis, historical DNS records via IP History, or misconfigured subdomains).
• Interpreting CDN results – If a reverse IP lookup returns thousands of domains and the ASN belongs to a CDN provider, the results show domains proxied through that CDN edge, not necessarily sites on the same physical server.

Real-World Investigation Scenarios

Here are practical examples of how security professionals use reverse DNS and reverse IP data:

• Phishing takedown – A phishing email links to evil-bank-login.com. A reverse IP lookup reveals 47 other domains on the same IP, all mimicking different banks. The investigator reports the entire hosting account for takedown, not just the single domain.
• Penetration test reconnaissance – A red team is authorized to test company.com. A reverse IP lookup on the company's server reveals staging.company.com, internal-api.company.com, and old-app.company.com — previously unknown attack surfaces that expand the scope of testing.
• Malware C2 tracking – A malware sample communicates with a command-and-control server at a specific IP. Reverse IP lookup reveals the other domains on that IP, potentially uncovering additional C2 domains, related campaigns, or the threat actor's broader infrastructure.
• Brand protection – A company discovers a typosquatting domain impersonating their brand. A reverse IP lookup on the impostor's server reveals dozens of other typosquatting domains targeting different brands, indicating a professional squatting operation.

Tools for DNS and IP Investigation

• Reverse IP Lookup – Find all domains on any IP address using passive DNS data from reverseips.com.
• IP History – See how a domain's IP address has changed over time, useful for finding origin IPs behind CDNs.
• DNS Timeline – Explore the complete DNS history of any domain, including A, AAAA, MX, NS, CNAME, and TXT records.
• Internet Live View – Monitor real-time BGP routing changes and internet infrastructure events.
• Profundis.io – Full-featured DNS intelligence platform with unlimited queries, an API, and comprehensive historical data.

Get Started

Ready to investigate an IP address? Visit the reverseips.com homepage and enter any IPv4 or IPv6 address to see all domains hosted on it. For enterprise-grade DNS intelligence, explore Profundis.io.