David Waugh

Creating a Feed to Automatically Perform a Reverse Lookup of IP Addresses to Hostnames

Blog Post created by David Waugh Employee on May 5, 2016

I had a customer who was trying to investigate ip source and destination addresses but was having to manually do reverse DNS Lookups on each IP addresses to find out the corresponding hostname.


This was a similar situation to my post:

User Agent to Device/OS/Application


This script is only provided as a proof of concept so I would strongly recommend testing it first in a test environment. Please be aware that it will perform a large number of reverse DNS lookups.


The following script will create a feed of Reverse DNS Names producing output such as the following:,a92-123-72-104.deploy.akamaitechnologies.com,a92-123-72-105.deploy.akamaitechnologies.com,a104-67-51-113.deploy.static.akamaitechnologies.com,lga15s43-in-f3.1e100.net,n1plpkivs-v01.any.prod.ams1.secureserver.net,a23-55-149-163.deploy.static.akamaitechnologies.com,a23-205-169-35.deploy.static.akamaitechnologies.com,a23-223-98-155.deploy.static.akamaitechnologies.com,ip-50-62-56-98.ip.secureserver.net,ip-50-62-133-237.ip.secureserver.net,ec2-54-187-229-30.us-west-2.compute.amazonaws.com,server-54-240-190-91.jfk6.r.cloudfront.net,qg-in-f93.1e100.net,https-87-248-214-110.lon.llnw.net,a92-123-72-89.deploy.akamaitechnologies.com,a92-123-72-97.deploy.akamaitechnologies.com,a92-123-72-103.deploy.akamaitechnologies.com,a92-123-72-111.deploy.akamaitechnologies.com,a104-69-248-249.deploy.static.akamaitechnologies.com,a104-86-110-50.deploy.static.akamaitechnologies.com,jamie.cloud.virtualmin.com,lga15s42-in-f14.1e100.net,ec2-184-169-140-194.us-west-1.compute.amazonaws.com,labs.snort.org,ftp2.neu.edu.cn,a-0001.a-msedge.net,bbc-vip146.telhc.bbc.co.uk,bbc-vip112.telhc.bbc.co.uk,lga25s41-in-f3.1e100.net,lga25s41-in-f227.1e100.net


Where an ip address resolves to multiple domain names then the domain names are separated by commas so for example on the last line the ip address maps to domain names lga25s41-in-f3.1e100.net,lga25s41-in-f227.1e100.net


The script is designed to be placed on a Centos 6 we bserver where it will write the feed to /var/www/html/RDNS-src.csv

It is designed to be run as a cron job.


The script looks for all source ip addresses, but can also be modified to look for destination ip addresses.


#Copy the existing Feed to a backup location

mv /var/www/html/RDNS-src.csv /var/www/html/RDNS-src.csv.bak

# We keep all IP Addresses that we have processed in /tmp/ipprocessed.txt

touch /tmp/ipprocessed.txt


# First Get a list of ip.src from our Broker.

curl -s --user 'admin:netwitness' '' |grep field |cut -f 2 -d ">" |cut -d "<" -f1 |grep -v rsyslogd | grep -v pts |grep -v ignored |grep -v \(\) >/tmp/RDNS-src.txt


while read p; do

  cmd=$(grep -ci "$p" /tmp/ipprocessed.txt)

  escape_p=$(echo "$p" |sed 's/\[/\\[/')

  cmd2=$(grep -ci "$escape_p" /tmp/ipprocessed.txt)

  if [ $cmd == "0" ] && [ $cmd2 == "0" ]; then

    #echo  "IP SRC "$p"  not previously seen so process it"

    #echo  "$p" >>/tmp/ipprocessed.txt

    OUTPUT=$(host $p  |grep -v "not found" |grep "domain name pointer"   |cut -d" " -f 5 | rev | cut -c 2- | rev |sed -n -e 'H;${x;s/\n/,/g;s/^,//;p;}')



   if [ "$OUTPUT" != "" ]; then

    echo "$p",$OUTPUT >>/var/www/html/RDNS-src.csv



  #  echo "UserAgent already in processed"


done </tmp/RDNS-src.txt