Get all DNS records associated with an IP

Question

Background

The following code returns the IPv4 address of a given alias or host: [System.Net.Dns]::GetHostAddresses('someDnsName').IPAddressToString

The below code returns the HostName (CName) and aliases of an IP: [System.Net.Dns]::GetHostByAddress('172.12.34.56')

I'd therefore expect anything which returns an IP on GetHostAddresses to be listed under the HostName or Aliases of a call to GetHostByAddress (or at least for the FQDN of that item to be listed). i.e. I'd expect the result of the below query to return true

cls
$name = 'someName'
$fqdn = [System.Net.Dns]::GetHostEntry($name).HostName 
$ip = [System.Net.Dns]::GetHostAddresses($fqdn).IPAddressToString
$result = [System.Net.Dns]::GetHostByAddress($ip) 

#this is the result I'd expect to be true
($result.HostName -eq $fqdn) -or ($result.Aliases -contains $fqdn)

#here's additional info to aid in sense checking
"Name: $name"
"FQDN: $fqdn"
"IP: $ip"
"Result: "
(" - HostName: {0}" -f $result.HostName)
" - Aliases: " 
($result | select -ExpandProperty Aliases) | %{("`t{0}" -f $_)}

However there are a few A Records which are not behaving in this way. This may be a misunderstanding of DNS on my part, a misconfiguration of DNS at my company (it's because of DNS anomalies that I'm writing this script; we found 2 servers on the same IP; so I want to check for others), or something else...

Question

Is there a way to list all DNS names associated with a given IP address? i.e. such that anything which returns an IP from GetHostAddresses will be listed in the results of a reverse lookup on the returned IP address?

Answer 1

Getting a definite list of all names associated with a given IP address is not feasible when you're looking at the global scope, because any DNS admin can define a record for any IP address in their zone. For instance I could easily define an A record myoverflow.planetcobalt.net. pointing to the stackoverflow.com IP address 198.252.206.16.

It's less impossible if you're reducing the scope to just your organization. However, you still need to enumerate all forward lookup zones on your organization's DNS servers and check the address of each A record. The answers to the ServerFault question you found do this zone enumeration. You need DNS admin privileges for it, though.

The reason why this gets so complicated is that technically there's no relation between forward and reverse lookup zones. There's no technical requirement for any A record to have any PTR record at all (much less a matching one). You can have two records

foo.example.com.             A    192.168.23.42

and

17.13.113.10.in-addr.arpa.  PTR  foo.example.com.

with no problem. Or multiple A records with no PTR record. Or PTR records with no A record.

Microsoft's DNS server allows you to associate a PTR record with an A record, but that's just a convenience feature. Again, there's no technical requirement in the Domain Name System for this association.