Reverse IP Lookup

A single IP address can simultaneously host personal blogs, corporate websites, and phishing pages—this is very common with shared hosting and Content Delivery Networks (CDNs). Our Reverse IP Lookup tool helps you list all domains pointing to a specific IP address and displays the time of their first and last successful resolution. Cybersecurity administrators can use it to determine if a server is being used maliciously, while website operators can quickly identify their IP neighbors.

What is a Reverse IP Lookup?

A standard DNS lookup converts a domain name into an IP address; a reverse IP lookup does the opposite, finding domains based on a given IP. This tool uses public DNS resolution record databases to not only find currently resolved domains but also display historical resolution records. It tells you when a domain first started pointing to the IP and the most recent time it did so. This allows you to understand the usage history of an IP address. Note that this tool is not a standard rDNS (PTR record) lookup; instead, it relies on passive DNS data. It maps the association trajectory between domains and IPs rather than providing authoritative reverse resolution results.

How to Use This Tool

1. Enter a valid IPv4 address (e.g., 8.8.8.8) or IPv6 address (e.g., 2001:4860:4860::8888) into the IP address input field.
2. Click the search button. The tool will request data from the server; please wait a few seconds.
3. The results table will appear below, containing three columns: Domain, First Resolved, and Last Resolved.
4. If the IP has many associated domains, "Previous" and "Next" buttons will appear at the bottom of the table, allowing you to click through to see more records.

Example: Querying Google's Public DNS IP

We enter 8.8.8.8 into the input box and click search. The query returns over 200 domain records in total, with the first page displaying several of them. For example:

• dns.google.com, First Resolved: 2020-03-15 09:20:33, Last Resolved: 2026-05-28 18:02:11
• google-public-dns-a.google.com, First Resolved: 2018-06-01 14:55:07, Last Resolved: 2026-05-28 18:02:11
• 8888.google, First Resolved: 2017-01-12 10:05:44, Last Resolved: 2026-05-27 23:41:05

Clicking the "Next" button reveals more Google service domains. This indicates that 8.8.8.8 is Google's public DNS server, with a large number of Google's own domains stably pointing to this IP over the long term, and resolution records continuing to update to the present. If you see a domain's last resolved time stuck in the distant past (e.g., 2019), it is highly likely that the domain has been migrated or discontinued.

More Examples: CDN Nodes and Shared Hosting

Let's try an Anycast IP from Cloudflare: 104.16.124.96. The query yields over 2,000 results. The first page displays dozens of completely unrelated domains: a Turkish online store, an American blog, a German government portal... with first resolved times spread across recent years. This is clearly a CDN edge node hosting numerous Cloudflare customers. If we switch to a virtual host IP (e.g., 203.0.113.5), it might only list a dozen small company websites that appear unrelated—a typical shared hosting space. During security tracing, this allows you to quickly determine whether an IP belongs to a major CDN or a standard VPS.

How to Interpret the Results

The number of returned domains is the most critical signal:

• 0 domains: There are no public DNS resolution records pointing to this IP in our database.
• 1-10 domains: Mostly dedicated servers, dedicated IPs, or small VPS instances.
• 10-100 domains: Commonly found on shared hosting, small CDNs, or cloud platforms.
• Over 100 domains: Almost certainly a CDN edge node or large cloud platform IP, potentially backing thousands of websites.

An early first resolved time (e.g., 2015) paired with a recent last resolved time indicates the domain has stably resolved to this IP for a long time. A last resolved time from six months ago or earlier suggests the domain may have moved away from this IP, though this should be verified with other evidence.

Typical Use Cases

1. Security Analysis and Attack Tracing: When an IP scans or attacks your server, you can look it up to see what domains are hosted on it. If they belong to legitimate search engine crawlers, there is no need to worry; if they are a batch of oddly spelled domains, it might be a malicious host.
2. Website Migration Checks: After moving your website to a new server, check the new IP to confirm which domains are currently pointing to it. This helps uncover configuration omissions or domains incorrectly bound by others.
3. Assessing CDN Neighbor Risks: If you host your official website on Cloudflare, do a reverse lookup on the node IP to see if there are any illegal or phishing sites on the same node, allowing you to proactively assess the risk of being blocked by national firewalls or security software due to guilt by association.

Common Misuses

• Entering a domain instead of an IP address: The tool only accepts IP addresses. If you enter google.com, the query will fail.
• Expecting to see all historical domains: This tool relies on passive DNS data. Domains using privacy protection, those never indexed, or those that disappeared after short-term resolution may be missing.
• Using this tool for authoritative rDNS validation: Traditional PTR record lookups are completely different from this tool. This tool does not query PTR records, so please do not use it for email SPF validation, reverse DNS authentication, or other scenarios requiring PTR records.
• Misunderstanding timestamps: The first resolved time is the earliest moment our database observed the domain pointing to the IP, not the domain registration date. The last resolved time is the most recent successful resolution observed; there may have been interruptions or IP changes in between.
• Ignoring pagination and only viewing the first page: If an IP has thousands of domains, looking only at the first page will lead to biased conclusions. Flip through at least a few pages before making a judgment.

Frequently Asked Questions (FAQ)

1. What information is included in the query results?
   Each row in the results table contains the domain, first resolved time, and last resolved time. Large datasets are automatically paginated with navigation buttons at the bottom.
2. Why can't I see my own domain when I search?
   Your domain might have privacy protection enabled, use dynamic DNS, or its resolution may have never been indexed by our database. Database coverage also has regional biases and update delays.
3. How can I quickly tell if an IP is a CDN or a dedicated host?
   Look primarily at the domain count: over 100 is almost certainly a CDN node; 10-100 could be shared hosting or a small CDN; under 10 is mostly dedicated IPs. Also, observe whether the domains belong to different owners.
4. Is the first resolved time the exact moment the domain first pointed to the IP?
   Not necessarily. It is simply the earliest moment our database observed the association; the actual first pointing time could be earlier. Domestic and international database coverage periods also vary.
5. Does this tool support IPv6?
   Yes, you can enter an IPv6 address, such as 2001:4860:4860::8888. The operation is identical to IPv4.
6. Why does it take a few seconds when clicking the next page?
   Paginating initiates a new query request to the server, and response times are affected by network conditions and data volume. If an IP is associated with thousands of domains, processing the request may take a bit longer. Please be patient.

Limitations and Boundaries

This tool is based on third-party passive DNS databases. The results do not represent all domains that have ever pointed or currently point to the IP, nor do they constitute an authoritative historical record. Database coverage has regional differences, and domains from certain countries or regions may not be fully indexed. Please do not use the query results for strict scenarios like judicial forensics or security audits. Query frequency may be limited by the server. Comply with local cybersecurity regulations and do not use this tool for preliminary information gathering for cyberattacks.

Now you can enter an IP address into the input box above and see for yourself which domains are associated with it.