Back to Blog
DNS

What Is a Reverse DNS Lookup and Who Uses It

By Kunal KhatriFeb 24, 2026
What Is a Reverse DNS Lookup and Who Uses It

You know a domain like 'google.com' resolves to an IP address. Reverse DNS does the opposite — given an IP address, it returns the associated domain name. The mechanism is different from forward DNS, the data is often different from what you'd expect, and the practical uses are more important than most network documentation suggests.

How Reverse DNS Works

Reverse DNS uses a special domain called in-addr.arpa. To look up the hostname for 93.184.216.34, the query is made to 34.216.184.93.in-addr.arpa — the IP octets reversed, with in-addr.arpa appended. The query returns a PTR record — a pointer record — containing the hostname associated with that IP.

The key difference from forward DNS: the authority over reverse DNS records lies with whoever controls the IP address block, not whoever registered the domain name. Your ISP or hosting provider controls the in-addr.arpa zone for their IP ranges. You set PTR records by requesting them through your provider, not through your domain registrar.

Why Email Servers Care About Reverse DNS

Most email servers perform a reverse DNS check on incoming connections. If the sending IP has no PTR record, or if the PTR record doesn't match a hostname that forward-resolves back to the same IP (a forward-confirmed reverse DNS, or FCrDNS), the message is more likely to be treated as spam or rejected outright.

Here's the thing — this is why 'just send email from any server' doesn't work at scale. Professional email delivery requires a PTR record that matches the sending hostname, which matches the domain in the From header, which has SPF and DKIM records configured correctly. Each layer is a spam signal. Missing reverse DNS is one of the fastest ways to land in the junk folder.

Network Diagnostics and Security Uses

Traceroute output becomes much more readable with reverse DNS — instead of seeing a list of IP addresses at each hop, you see hostnames like 'ae-1.r01.londen03.uk.bb.gin.ntt.net', which tells you the carrier, city, and router number. Network engineers use PTR records to identify infrastructure at a glance.

Security teams use reverse DNS to investigate IP addresses appearing in logs. An IP from a residential ISP's PTR record versus one from a cloud provider has different threat implications. A PTR record containing 'tor-exit' or 'vpn' is an obvious signal. No PTR record at all is also a signal — legitimate infrastructure usually has one.

Reverse DNS in Log Analysis

Web server logs default to recording IP addresses. Enabling reverse DNS resolution in log processing (access log enrichment) adds hostnames, making logs significantly more readable during incident response. Seeing 'ec2-54-239-17-6.compute-1.amazonaws.com' in your logs is immediately more informative than seeing '54.239.17.6' — you know it's an AWS instance, which changes how you assess the traffic.

But do this in log processing, not in the web server itself. Having Apache or Nginx perform reverse DNS resolution on every incoming request adds latency to every single connection — the server has to wait for the DNS query before it can log the request and move on. Process logs after the fact with a tool that batches DNS lookups, or use a SIEM that enriches IP data without blocking your request processing pipeline.

Run a Full IP Lookup Including Reverse DNS

Look up hostname, ASN, geolocation, and PTR records for any IP address.

IP Lookup Tool
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: