
An FQDN (Fully Qualified Domain Name) is a unique identifier that maps to an IP address, allowing you to access a domain's server.
The process of looking up an FQDN's IP address is called a reverse DNS lookup.
This lookup can be performed using various tools and techniques, including online DNS lookup websites and command-line interfaces like dig and nslookup.
A reverse DNS lookup typically involves querying a DNS server for the IP address associated with a given FQDN.
Curious to learn more? Check out: Fqdn vs Url
Domain and IP Relationships
Zero records for an IP address usually indicate that it's a public IP address that has not yet been used or is blacklisted, abandoned, or newly acquired for future malicious use.
If your infrastructure suddenly starts sending traffic to an IP with zero associated domains, it's a reason to investigate, especially if your intrusion detection systems indicate repeated scanning activity from such an IP address.
One or few associated domains often indicate dedicated IP infrastructure used by businesses or high-profile websites, but it could also be used for phishing, malware hosting, or single-purpose attacks.
About 50 or more associated domains indicate shared hosting, where multiple domains share an IP for cost efficiency or due to a lack of need for dedicated hosting.
Here are some possible interpretations of the number of connected domains an IP address may have:
Hundreds of historically connected domains suggest shared hosting environments, where domains frequently rotate due to changes in hosting plans, or the IP has changed ownership.
If most of the domains associated with an IP have existed for very short periods, it's usually a hint that they were not used for legitimate purposes.
DNS Records
DNS records are like a domain's business card, revealing its IP addresses and potential purpose. A single A record can indicate a small or internal service, but it could also be a malicious domain used for phishing or malware delivery.
Multiple A records usually mean the website uses load balancing or redundancy for improved availability, but dozens of records can indicate a content delivery network (CDN) or malicious infrastructure trying to evade detection.
The number of historical DNS records a domain has can give you clues about its legitimacy. A few records might indicate a new or stably hosted domain, while dozens or hundreds can reflect routine infrastructure updates or hosting provider changes. In the case of malicious infrastructure, frequent IP rotation is suspicious, especially if the domain is newly registered.
Wildcards
Wildcards are another type of domain name that can be tricky to identify. They are often defined as "catch all" resource records that will resolve literally any hostname that hasn’t already been defined by a more specific DNS resource record.
You may stumble upon a wildcarded domain when you find a LOT of unique results for individual delegation points, often tens of thousands (or even hundreds of thousands or more!).
All/most of the responses may have small counts, often just 1 or 2 hits per unique result. This can be a sign that a wildcard domain is in play.
The hostname parts may look random or chosen to be "amusing." Multiple subdomains may be present between the hostname part and the base domain name part.
To investigate a potential wildcard domain, start by making a DNSDB query with the dash ell zero option to ask for as many results as are permitted. The output will be in JSON Lines format.
For example, if you're investigating the IP 72.52.10.14, you may need to make several DNSDB queries to find out how many unique results you'll get for that one IP over the last month.
Here are some clues to look out for:
- Finding a LOT of unique results (often tens of thousands (or even hundreds of thousands or more!) for individual delegation points)
- All/most of the responses we’re looking at have small counts (often just 1 or 2 hits per unique result)
- The hostname parts may look random, or may perhaps may have been chosen to be “amusing”
- There may be multiple subdomains present between the hostname part and the base domain name part.
A and AAAA Records
A and AAAA records are essential components of DNS records that help determine the IP address associated with a domain name. They can be used to identify potential malicious activity or misconfigurations.
A single A record indicates a single server with no redundancy, which can be used for small or internal services, but it could also be a disposable malicious domain. On the other hand, multiple A records suggest load balancing or redundancy for improved availability, common in corporate websites, SaaS platforms, or content delivery networks.
Having dozens of records is typical for content delivery networks (CDNs) or global infrastructure, but it can also indicate an attempt to add redundancy to malicious infrastructure. If IP addresses in all those records belong to different ASNs and different providers, that's an indicator that a domain might be suspicious.
Here are some possible scenarios associated with multiple A records:
- Load balancing or redundancy for improved availability
- Content delivery networks (CDNs) or global infrastructure
- Attempt to add redundancy to malicious infrastructure
- Usage of a fast-flux botnet that makes domains switch rapidly between IP addresses
Historical A and AAAA records can provide valuable insights into a domain's past behavior. A few different historical records may indicate that the domain is very new or has been stably hosted on the same server without redundancy. On the other hand, dozens or hundreds of historical A and AAAA records primarily reflect that the domain has been around for a while, indicating routine infrastructure updates or hosting provider changes.
However, frequent IP rotation in historical records can be a suspicious behavior, especially if the domain is newly registered. This behavior is often seen in botnets, scam operations, or malware distribution networks.
IP Address Lookup

IP Address Lookup is a powerful tool for security and network analysis. It allows you to pivot off an IP address to see the domains it is hosting and analyze its associations, also known as reverse lookups or IP to domain name lookups.
This can be particularly useful in tracking suspicious IP addresses, as it reveals the associated domains, helping incident responders understand the scope of the attack. By doing a reverse lookup, you can identify the domains associated with the IP address, potentially even shutting down the attacker’s infrastructure.
Regularly monitoring FQDN-to-IP mappings can help detect domain hijacking attempts early on, by revealing if a domain suddenly points to an unfamiliar IP address. This can be a sign that the domain has been compromised.
Broadening the scope of forward lookups to include DNS records makes it even more comprehensive, allowing you to identify misconfigurations in DNS records, such as incorrect A records and dangling CNAME records. This can be a valuable insight for network administrators and security professionals.
On a similar theme: Dns Domain Namespace
Domain Connections

Domain connections are a crucial aspect of understanding an IP address's behavior. Zero records usually indicate a public IP address that has not been used, or it could be blacklisted, abandoned, or newly acquired for malicious use.
Having one or few associated domains often suggests dedicated IP infrastructure, used by businesses or high-profile websites. This could also be used for phishing, malware hosting, or single-purpose attacks.
About 50 or more associated domains indicate shared hosting, where multiple domains share an IP for cost efficiency or due to a lack of need for dedicated hosting. This type of hosting is often used by small websites, and malicious actors love shared hosting as it helps them hide their activity.
- Zero records: public IP address not used, blacklisted, abandoned, or newly acquired for malicious use.
- One or few associated domains: dedicated IP infrastructure, used by businesses or high-profile websites, or for phishing, malware hosting, or single-purpose attacks.
- About 50 or more associated domains: shared hosting, used by small websites, or by malicious actors to hide their activity.
Current Domain Connections
You can use a Reverse IP API to see all the domains that currently resolve to a specific IP address. This is called IP to FQDN (Fully Qualified Domain Name) lookups.
By querying the IP using the Reverse IP API, you can get a list of all the domains that are currently connected to it. For example, if you query the IP 31.13.88.1, you'll get five different FQDNs all pointing to this same IP.
Consider reading: Azure Api Management Whitelist Ip
The UNIX timestamps showing when each of those FQDNs was first and last seen can also be useful in analyzing the connections. This information can help you understand when the domains started and stopped resolving to the IP address.
There are several possible interpretations for the number of connected domains an IP address may have. Here are some possible scenarios:
- Zero records usually indicate that it’s a public IP address that has not yet been used for some reason. It could also be blacklisted, abandoned, or newly acquired for future malicious use.
- One or few associated domains often indicate dedicated IP infrastructure, typically used by businesses or high-profile websites.
- About 50 or more associated domains indicate shared hosting, where multiple domains share an IP for cost efficiency or due to a lack of need for dedicated hosting.
Shadow IT Discovery
Shadow IT Discovery is a crucial aspect of domain connections. It involves identifying unauthorized IT assets within an organization.
In large organizations, IP-to-domain and domain-to-IP mappings can unveil shadow IT assets. For example, a new domain that points to an internal IP address should raise a red flag, especially if it is unknown to the IT department.
Lookup and Tracking
You can use forward and reverse lookup results to track suspicious IP addresses and understand the scope of an attack.
Doing a reverse lookup on an IP address that exhibits malicious behavior reveals the associated domains, helping incident responders identify and shut down the attacker's infrastructure.
Tracking these domains can also help you correlate events and link different security alerts that may have otherwise been treated as separate events.
Forward and reverse lookup queries can link multiple security alerts that resolve to the same IP address, suggesting a coordinated attack.
Proactively monitoring IP addresses and their associated fully qualified domain names can uncover infrastructure used by threat actors for malicious activities, such as phishing and malware distribution.
This information can be used to block access to these resources and protect users.
Prevent Domain Hijacking and Detect DNS Misconfigurations
Regularly monitoring FQDN-to-IP mappings can help detect domain hijacking attempts early on. This is because a sudden change in the IP address associated with a domain could indicate a hijacking attempt.
Monitoring FQDN-to-IP mappings can also help identify DNS misconfigurations, such as incorrect A records. These misconfigurations can cause issues with domain resolution and communication.
A sudden change in the IP address associated with a domain can indicate that the domain has been compromised. This is a warning sign that needs to be investigated further.
Broadening the scope of forward lookups to include DNS records makes it even more comprehensive. This can help identify misconfigurations in DNS records, such as dangling CNAME records.
For another approach, see: Fqdn vs Hostname
Prevention and Detection
Monitoring FQDN-to-IP mappings is essential to detect domain hijacking attempts early on. Regular checks can help you identify if a domain suddenly points to an unfamiliar IP address, which could indicate a hijacking attempt.
Monitoring FQDN-to-IP mappings can also help you identify misconfigurations in DNS records. This can include incorrect A records and dangling CNAME records.
Broadening the scope of forward lookups to include DNS records makes it more comprehensive. It can help identify misconfigurations in DNS records.
Identifying misconfigurations in DNS records can help you prevent domain hijacking. Regularly monitoring DNS records can help you catch any issues before they become a problem.
Regular checks can help you identify if a domain suddenly points to an unfamiliar IP address. This can be a sign of a hijacking attempt.
Here's an interesting read: Https Portal Ip Address or Fqdn
FQDN and IP Issues
Monitoring FQDN-to-IP mappings is crucial to detect domain hijacking attempts early on.
Regularly checking these mappings can help identify unfamiliar IP addresses that a domain suddenly points to, indicating potential compromise.
Domain hijacking can be devastating, so it's essential to stay on top of these mappings.
Broadening the scope of forward lookups to include DNS records can help identify misconfigurations in DNS records, such as incorrect A records and dangling CNAME records.
Incorrect A records can lead to website downtime and lost business, making it a critical issue to address.
Additional reading: Azure Dns Ip
FQDN Objects with Invalid Addresses in R80.40 T78
FQDN objects with invalid addresses in R80.40 T78 can be a real headache to deal with. This issue can occur when the FQDN object is created with an invalid IP address.
In some cases, the FQDN object may be created with an IP address that is not associated with any domain name. As mentioned in Example 2, this can happen when the IP address is not in use or is being used "raw" without a domain name.
It's also possible that the IP address is associated with multiple domains, but the FQDN object is created with an invalid or non-existent domain name.
Expand your knowledge: What Does It Mean When a Domain Is Parked
Here are some possible reasons why FQDN objects with invalid addresses may appear in R80.40 T78:
- The IP address is not in use or is being used "raw" without a domain name.
- The IP address is associated with multiple domains, but the FQDN object is created with an invalid or non-existent domain name.
- The FQDN object is created with a pseudo-random hostname that is not associated with any domain name.
If you're experiencing issues with FQDN objects having invalid addresses in R80.40 T78, it's essential to investigate the root cause of the problem to resolve it efficiently.
To troubleshoot this issue, you can try the following steps:
- Check the IP address associated with the FQDN object to see if it's valid and associated with any domain name.
- Verify that the FQDN object is created with a valid and existing domain name.
- Use tools like DNSDB or Whois to check the IP address and domain name associations.
By following these steps, you can identify the cause of the issue and take corrective action to resolve it.
V Can Be Recycled and Reused Sequentially
IPs can be recycled and reused sequentially, much like a landlord re-rents an apartment after the lease expires. This means that an IP address can be assigned to one FQDN and then repurposed for a completely different FQDN.
For example, an IP address might be used by one FQDN for a period of time before being reassigned to a new FQDN. This can make it difficult to determine which FQDN was associated with the IP address at a given time.

Having a full timestamp, including time zone information, is crucial when using passive DNS to map IP addresses to domain names. This ensures that you get the right host mapped to a given IP for a particular time.
A single IP address can have at least four million unique results associated with it, as seen in the example where just a small set of delegation points showed 100,000 manually-assigned hostnames. This is highly unusual and may indicate something suspicious is going on with the domain names.
Readers also liked: What Is a Web Domain Names
Featured Images: pexels.com

