Discover the hostnames served by an IP address — live, from reverse DNS and TLS certificate data. Enter an IP or a domain.
Discovering hostnames on ...
Daily scan limit reached
Sign up free to get 10 scans/day — or upgrade for unlimited access.
Redirecting to report...
A reverse IP lookup finds the hostnames served by an IP address — answering "what else is hosted here?". Secably discovers them live from the IP's reverse DNS (PTR) record and the hostnames in the TLS certificate it serves, then verifies which ones currently point at that IP. Free, no signup, results in seconds.
A reverse IP lookup answers a simple question: which hostnames are served by this IP address? A forward DNS lookup goes from a domain to its IP. A reverse IP lookup goes the other way — from an IP back to the domains and hostnames that live on it.
It is most useful when several sites share one server (shared hosting), when you want to find other properties on your own infrastructure, or when you are mapping the attack surface of a target during reconnaissance and want to know what else that IP exposes.
DNS is one-directional in practice: going from a domain to an IP is instant, but there is no built-in index from an IP back to every domain on it. You cannot ask an IP to list all the sites it hosts — that information simply isn't stored there.
What the IP does reveal, live, is its reverse DNS record and the certificate it serves. Secably reads exactly those, so the results are always current — never a stale snapshot from someone else's old database.
Secably discovers hostnames straight from the live IP, then cross-checks each one against DNS.
Reads the IP's PTR record — the hostname the network operator has assigned to it. Fast, but usually just one name.
Connects to the IP's HTTPS ports and reads the certificate's Common Name and Subject Alternative Names — the domains the server itself presents.
Each discovered hostname is resolved back to check whether it currently points at this IP, so you can tell live associations from ones only listed in an old certificate.
Honest limitation: a single live connection returns the server's default certificate, so on shared hosts with many unrelated domains the live result is partial. Broad "every domain ever seen on this IP" coverage needs a historical passive-DNS dataset, which is inherently incomplete and can be out of date. Secably prioritizes accuracy and freshness over an inflated, stale count.