Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
Understanding a domain’s infrastructure starts with knowing where it points, and one of the things to check is name servers — the servers that store DNS records and answer queries about domain names, translating them into IP addresses. Name servers are one of the components that make DNS resolution possible, and they are defined by NS records.
Every domain is associated with at least one NS record, and so, NS records could be a valuable source of information when investigating something domain-related. For example, many threat actors tend to use the same DNS setup across their domain-based campaigns. So, in many cases, a group of malicious domains would have the same NS records. Find one such domain, look up its NS record — and it becomes a signal for identifying other domains in the cluster used by the same threat actor.
For identifying such domain clusters that share the same DNS delegation patterns, you’ll need to do a reverse NS lookup. This post explains what it is, how it works, and how to do it.
WHOIS vs. DNS Name Servers
Before we go into the details of how to find all domains on a name server, let’s first differentiate the two places where name servers are listed.
- WHOIS: This is the registration record. It shows which name servers are configured for the domain at the registrar.
- DNS: This is the live configuration. It shows the active authoritative name servers used to resolve the domain and direct traffic.
We’ll refer to DNS name servers throughout this post.
What Is Reverse NS?
A reverse NS lookup allows you to identify every domain name pointing to a particular name server. It’s the opposite of a forward NS lookup, where you start with a domain name to find its assigned name servers.
For forward lookups, you can use a DNS lookup tool or command line commands such as dig or nslookup. But for reverse NS lookups, you’ll need a specialized tool like WhoisXML API’s Reverse NS API, since DNS does not natively provide a way to query all domains associated with a given name server.
How to Find All Domains on a Name server?
To find all domains associated with a name server, you’ll need to query a passive DNS (pDNS) database through an interface such as an API or lookup tool. For example, querying an API using curl looks like this for WhoisXML API’s Reverse NS API:
curl "https://reverse-ns.whoisxmlapi.com/api/v1?apiKey=YOUR_API_KEY&includeAdditionalChecks=1&ns=ns2.google.com"The API returns domains in the database currently using that infrastructure. Be prepared to get a long list, because in the example above, there are thousands of domains associated with ns2.google.com. Here’s a snippet of the results that the query above returns.
{
"current_page": "0",
"size": 300,
"result": [
{
"name": "0031300.com",
"first_seen": 1770752252,
"last_visit": 1770845676,
"active": true,
"wildcard": false
},
{
"name": "00hrf5vjtk.com",
"first_seen": 1696340706,
"last_visit": 1772753141,
"active": true,
"wildcard": false
},
{
"name": "01seifw7uv.com",
"first_seen": 1697545456,
"last_visit": 1772399533,
"active": true,
"wildcard": false
},
]
}Google is not unique in this regard. Large DNS providers use shared name servers, which can return millions of domains — this may require pagination or filtered searches to manage.
What Information Does the Reverse NS API Provide?
As you can see in the actual Reverse NS API lookup results above, the tool allows you to retrieve quite some technical details:
- Associated domains: Get a list of all domain names pointing to the specified name server.
- First seen timestamp: Know when the NS record was first added (to the pDNS database, which doesn’t mean that it was added to the name server at the same time).
- Last visited timestamp: See when the record was last updated (again, in the pDNS database, which would be updated some time after the record is updated).
- Pagination metadata: Shows page counts for large result sets.
- Total records: View the total number of domain records retrieved for the query.
- Existence of DNS records: The “active” field shows whether a DNS record exists for the given domain.
- Wildcard entry: The “wildcard” field indicates whether the DNS record is part of a wildcard entry.
Tools You Can Use to Access Reverse NS
- Reverse NS API: For Automation
For automated workflows, the API is the most suitable choice. You can query it by doing a direct GET request using the following:
https://reverse-ns.whoisxmlapi.com/api/v1?apiKey=YOUR_API_KEY&ns=ns2.google.comIf you already have a WhoisXML API account, you can get your API key from the My Products page. Otherwise, you can sign up and get 500 free API credits. For details on how to use the Reverse NS API, check out the Reverse NS API docs page.
- Reverse NS Lookup: For Individual Lookups
If you need a quick manual check, the Reverse NS Lookup tool provides a visual interface. Simply enter the name server to see the list of associated domains.
- Domain Research Suite (DRS): For Investigations
For more advanced investigations, the DRS allows you to do the same lookup and then pivot to other lookups, including checking WHOIS, WHOIS history, and IP records.
- Passive DNS Database: For Large-Scale Projects
If you are building a security solution and need all sorts of DNS information, including reverse NS, a passive DNS database like WhoisXML API’s DNS Database Download is the best solution that offers the most comprehensive dataset going beyond name servers.