How to find a domain based on the IP address?
Matthew Martinez 
We were contacted by our ISP saying that one of our servers was issuing an attack on another computer.
May 23 14:11:35 wdc lfd[14308]: *Port Scan* detected from ***.***.***.***
(US/United States/-). 11 hits in the last 245 seconds - *Blocked in csf* for
3600 secs [PS_LIMIT]I don't know what it means, but our server is a factory image, with only a couple programs running.
I would like to know the domain, but don't know how to look it up.
8 Answers
Use nslookup
For example, let's find the domain for 207.46.19.254
C:\>nslookup -type=PTR 254.19.46.207.in-addr.arpa Non-authoritative answer: 254.19.46.207.in-addr.arpa name = wwwbaytest2.microsoft.com
Note that you reverse the order of the four numbers and append .in-addr.arpa
Remember that an IP-address may have multiple domains, and that the administrators do not always (but mostly should) set up the reverse mappings in DNS.
1Two things you can do. One is reverse DNS lookup.
dig -x x.x.x.xYou can also use geoiplookup to find the general area of the source.
Wouldn't the ping -a command also work?
That is, ping -a insert IP address here. It's not always successful though, but it's likely the easiest method.
ARIN WHOIS is probably the default goto for resolving IPs to the registered names, although I use SANS often also. The search box on both sites is in the upper right corner.
This will only resolve domain names on the internet, not internal domain names you may be looking for.
DomainTools whois and reverse dns has always been my go-to for easy and accurate sluething of this sort.
1Both of following commands is OK!
208.97.177.124 => apache2-argon.william-floyd.dreamhost.com
nslookup -type=PTR 208.97.177.124 in-addr.arpa
nslookup -type=PTR 208.97.177.124
nslookup 208.97.177.124Howerver, This command is NOT right!
208.97.177.124 => CPE-124-177-97-208.lns6.cha.bigpond.net.au
nslookup -type=PTR 208.97.177.124.in-addr.arpaMicrosoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124.in-addr.arpa
Server: phicomm.me
Address: 192.168.2.1
Non-authoritative answer:
208.97.177.124.in-addr.arpa name = CPE-124-177-97-208.lns6.cha.bigpond.net.au
G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124
Server: phicomm.me
Address: 192.168.2.1
Non-authoritative answer:
124.177.97.208.in-addr.arpa name = apache2-argon.william-floyd.dreamhost.com
G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124 in-addr.arpa
*** Can't find server address for 'in-addr.arpa':
Server: phicomm.me
Address: 192.168.2.1
Non-authoritative answer:
124.177.97.208.in-addr.arpa name = apache2-argon.william-floyd.dreamhost.com
G:\JavaScript Testing>reference links:
1A whois from the command line gets me quite a lot of information, or you can always try a Network Lookup or Whois at
you can also use the host command (tested on Linux):host -a 1.2.3.4
