What Is a Reverse DNS Lookup and Who Uses It

You know a domain like 'google.com' resolves to an IP address. Reverse DNS does the opposite — given an IP address, it returns the associated domain name. The mechanism is different from forward DNS, the data is often different from what you'd expect, and the practical uses are more important than most network documentation suggests.

How Reverse DNS Works

Reverse DNS uses a special domain called in-addr.arpa. To look up the hostname for 93.184.216.34, the query is made to 34.216.184.93.in-addr.arpa — the IP octets reversed, with in-addr.arpa appended. The query returns a PTR record — a pointer record — containing the hostname associated with that IP.

The key difference from forward DNS: the authority over reverse DNS records lies with whoever controls the IP address block, not whoever registered the domain name. Your ISP or hosting provider controls the in-addr.arpa zone for their IP ranges. You set PTR records by requesting them through your provider, not through your domain registrar.

Why Email Servers Care About Reverse DNS

Most email servers perform a reverse DNS check on incoming connections. If the sending IP has no PTR record, or if the PTR record doesn't match a hostname that forward-resolves back to the same IP (a forward-confirmed reverse DNS, or FCrDNS), the message is more likely to be treated as spam or rejected outright.

Here's the thing — this is why 'just send email from any server' doesn't work at scale. Professional email delivery requires a PTR record that matches the sending hostname, which matches the domain in the From header, which has SPF and DKIM records configured correctly. Each layer is a spam signal. Missing reverse DNS is one of the fastest ways to land in the junk folder.

Network Diagnostics and Security Uses

Traceroute output becomes much more readable with reverse DNS — instead of seeing a list of IP addresses at each hop, you see hostnames like 'ae-1.r01.londen03.uk.bb.gin.ntt.net', which tells you the carrier, city, and router number. Network engineers use PTR records to identify infrastructure at a glance.

Security teams use reverse DNS to investigate IP addresses appearing in logs. An IP from a residential ISP's PTR record versus one from a cloud provider has different threat implications. A PTR record containing 'tor-exit' or 'vpn' is an obvious signal. No PTR record at all is also a signal — legitimate infrastructure usually has one.