How does reverse DNS look up work?
E.g. I run dig youtube.com and I get A record: 172.217.0.46
If I do reverse dns look up using this IP, I get
172.217.0.46 lga15s43-in-f14.1e100.net
lga15s43-in-f14.1e100.net does have this A record (172.217.0.46), but this is not what I like to get from the reverse DNS lookup. I want to get youtube.com from the IP address.
Is there a way to get all domain names associated with an IP address? I am looking for a solution for Linux system.
How does reverse DNS look up work?
The same way as forward DNS, but using a different record type.
When you do dig -x 172.217.0.46 in fact it is like doing dig PTR 46.0.217.172.in-addr.arpa so you are just querying, even without knowing it, a different branch of the DNS tree. in-addr.arpa was established long ago as the starting point of IPv4 DNS delegations. Blocks of IP addresses are then delegated to IANA, and from there to the 5 RIRs existing, which themselves delegate them to the LIR using the corresponding IP blocks.
It works the same way for IPv6 but just under another branch.
I want to get youtube.com from the IP address.
You may want it, but why? Both "branches" (the forward one and the reverse one) have no operational needs to stay synchronized and in fact will never be because they are managed by different companies.
Everything starts at IANA but then:
Imagine a relative middle webhosting company. It may be controlling a given block of IP addresses but does shared virtual hosting: clients can host their website there, and the hosting company use multiple IPs for all of the website hosted. Synchronizing the PTR records would be just a huge task and have 0 benefits: out of email, PTR records are not very much used. Also, even if technically possible the case of one PTR records giving multiple names for a given IP address will probably not be handled properly by many applications.
RIR data is public. You can download the list of owners (LIRs) of each IPv4 and IPv6 blocks and doing searches there. It may not give you exactly the name your are looking after. You can also interactively query the data using the whois protocol (that does not use the DNS but goes to the same authoritative source).
If we take again your IP address as example:
$ whois 172.217.0.46
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2019, American Registry for Internet Numbers, Ltd.
#
NetRange: 172.217.0.0 - 172.217.255.255
CIDR: 172.217.0.0/16
NetName: GOOGLE
NetHandle: NET-172-217-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS15169
Organization: Google LLC (GOGL)
RegDate: 2012-04-16
Updated: 2012-04-16
Ref: https://rdap.arin.net/registry/ip/172.217.0.0
OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2018-10-24
So you can see this IP address "belongs to" Google but you can not from that derive what website run on top of it.
Is there a way to get all domain names associated with an IP address? I am looking for a solution for Linux system.
Yes, there is a way, and various companies provide you this service online but typically not for free.
How they do it:
So it is technically easy, just tedious and high volume of data to manipulate. On top of that you need to remember that any name->IP mapping can change at any time. Hence, this database may be obsolete the moment it is created, so of course they redo the forward resolution regularly.