On the information superhighway, an IP address is a series of numbers telling the location of a digital resource, similar to having a street address for a building. However, when all you know is the street address, you have no idea what the building itself looks like. If you’re a visual person, you might insert that address into Google Maps to pull up a picture of the building so you have a marker to help find a drive.
Reverse DNS lookup is the Google Maps for the internet, taking an IP address and translating it back to the human-readable domain name. In many IT environments, machines are only denoted as their IP address, making it difficult to keep track of them. However, when you enrich your logs with reverse DNS lookup data, you can review activity based on hostname.
By enriching logs with reverse DNS lookup data, you can improve your security and IT operations and respond to issues faster.
What is reverse DNS lookup?
A reverse DNS lookup queries an IP address to convert the numbered naming convention into a human-readable domain name. An IP address is the unique number assigned to a network and connected devices. A Domain Name System (DNS) server translates this number into the URL people use to connect to websites, like www.graylog.org. A reverse DNS lookup translates the URL back to the assigned IP address.
The Address and Routing Parameter Area (.arpa) domain stores the reverse DNS record, identifying them by Pointer (PTR) records. While best practices suggest that domains support reverse DNS lookups, the process is not required for standard internet functionality so may not always be implemented. However, without a corresponding PTR record a DNS server cannot resolve the reverse lookup for an IP address.
The key components of reverse DNS lookup include:
- User or application: initiating the request, like an email filter verifying a sender’s domain before allowing delivery
- PTR records: mapping an IPv4 or IPv6 address to a domain name
- DNS server: storing the DNS zone files used during the search
Some common reasons for using a reverse DNS lookup include:
- Verifying an email server to prevent spam
- Identifying hostnames when troubleshooting issues
- Monitoring network security
How does reverse DNS work?
The reverse DNS lookup process follows these steps:
- Query initiation: Users or applications input the IP address into a DNS lookup or command line interface tool that sends the query to the authoritative DNS servers for the IP range.
- PTR record lookup: The authoritative DNS server searches for the PTR record.
- Response retrieval: When the DNS server locates the PTR record, it sends the domain name back to the requestor.
- Response verification: The requestor compares the provided domain name against the expected domain name.
For example, many organizations use reverse DNS lookups to prevent delivery of spam emails. If the reverse DNS lookup fails to match the IP address with an expected domain in an email’s SMTP envelope or header, the email filter will assume the email is spam.
How to Perform a Reverse DNS Lookup
You may need to perform a reverse DNS lookup to gain insight into incoming network traffic. When engaging in the process, you can typically choose from the following options.
Reverse DNS lookup on Windows
In Windows, you’ll pull up the nslookup command-line utility and follow these steps:
- Access the command prompt
- Input nslookup <IP Address>
- Replace <IP Address> with the IP address you want to resolve
- Receive DNS name to confirm or an error report like “non-existent domain”
Reverse DNS lookup on Linux
In Linux, you’ll pull up the console terminal and follow these steps:
- Input any of these commands nslookup <IP Address>, dig -x [ip_address], or host [ip_address]
- Replace [ip_address] with the IP address you want to resolve
- Receive DNS name to confirm or an error report
Reverse DNS lookup on Mac
In MacOS, you’ll pull up the terminal and follow these steps:
- Input any of these commands dig -x [ip_address]
- Replace [ip_address] with the IP address you want to resolve
- Receive DNS name to confirm or an error report
Using an online tool
Online tools provide an intuitive interface for performing reverse IP lookups, automatically formatting requests and offering supplementary information like geo-location (country and city). Additionally, these tools often provide additional capabilities like forward lookup or Whois lookup.
Some examples of these tools include:
- info: multiple tools with a single panel interface including reverse DNS lookup, reverse Whois lookup, IP history, and reverse MX lookup
- Domain Tools: multiple tools with a drop down menu taking you to different pages for different functions, including whois lookup, bulk parsed whois lookup, and IP whois lookup
- MXToolbox SuperTool: multiple tools with a drop down menu to swap search functions without changing web page, including MX lookup, test email server, SPF record lookup, and TXT lookup
How Enriching Logs with Reverse DNS Lookup Data Enhances Security and Operations
Logging domain names instead of IP addresses streamlines data analysis and issue resolution. Some benefits of enriching your logs with reverse DNS lookup data include:
- Verification: Confirms IP-to-domain name associations to identify trusted sources
- Email security: Utilizes PTR records to block spam, which can mitigate phishing attack risks
- Server strengthening: Identifies and addresses server vulnerabilities by locating an address’s A records and mapping a domain name to the physical IP address
- Threat detection: Enhances ability to track and mitigate threats by understanding how the infrastructure interacts with services and websites
- Risk mitigation: Supports enterprises in maintaining system integrity against malicious activities by spotting suspicious domains known for hosting phishing attacks or malware
- Traffic insights: Identifies origin of traffic to understand user behavior that can help improve service delivery
- Business operations: Identifies potential leads by analyzing website visitors and mapping to recognized domains to support IT and marketing strategies
Graylog: Log Enrichment with Built-In Reverse DNS Lookup Data Adapters
Graylog offers native and customizable data adapters so you can enrich your logs to optimize their value. Our DNS lookup adapter enables you to resolve IPv4 and IPv6 hostnames, perform reverse DNS lookup, and engage in text (TXT) lookups. Our data enrichment capabilities provide rich context that improves risk scoring, readability, search, and data visualization so you can achieve comprehensive insights into system security and performance.
With Graylog Security analytics and anomaly detection capabilities, you get the cybersecurity platform you need without the complexity that makes your team’s job harder. With our powerful, lightning-fast features and intuitive user interface, you can lower your labor costs while reducing alert fatigue and getting the answers you need – quickly.
Our prebuilt search templates, dashboards, correlated alerts, and dynamic look-up tables enable you to get immediate value from your logs while empowering your security team.
For more information about how Graylog Security can help you achieve your NIST CSF 2.0 objectives, contact us today.
