1

I wonder how services performing reverse NS lookup work. So basically let's say we have a server with an IP address. That server has a ns record, to which some other domains point.

So for example here, https://viewdns.info/reversens/ When we specify ns1.example.com we see all domains pointing there. How one would approach it programmatically?

  • some/most of the servers with domain name(s) run http over ssl. It should be easy to check for aliases in a server certificate when you do [ssl request without SNI](https://stackoverflow.com/a/7886248/12396017). It does not provide any guarantee but quite easy to implement so I would start with such hackish approach – Maxim Sagaydachny Sep 05 '20 at 04:11

1 Answers1

0

How one would approach it programmatically?

You can't, because there is no way to do this.

What people do is the following more or less:

  • start with a list of domains (do searches, try dictionary words, use social media, download gTLD zone files, etc.)
  • resolve them, you get the nameservers
  • record in some database the domain <-> nameservers mapping

Now, with all the data you can trivially do reverse queries. This is how basically everyone does it (hence it is never real time, you first have to collect all information).

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54