digging an IP gives me an unregistered domain name, why?

Alexis Wilke asked:

I get spam all the time (what a surprise!) and once in a while I check the IP address to see where it comes from (i.e. .cn, .cz, .pl, etc.)

Today I was surprised as I found the output of dig to be:

promtp# dig -x 94.102.52.186
186.52.102.94.in-addr.arpa. 3600 IN PTR user186.mbenzforums.net.

and then the output of whois to be:

prompt# whois mbenzforums.net
No match for "MBENZFORUMS.NET".

How is that possible? Is it because the mbenzforums.net domain was attached to that IP and then did not get renewed, but still assigned to the IP?

I thought that such would very quickly disappear (within a day or so) and am not thinking that I’d catch that “just in time”…

My answer:


Anyone can set the PTR record to whatever they want. It doesn’t have to be valid, or it could be valid and later become invalid.

If you really want to know about an IP address, use whois on it. (This example uses GNU jwhois, which most Linux distributions ship.)

whois 94.102.52.186

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.