How to find all hostnames in DNS attached to one IP?
Solution 1:
Not really, no. This is all about the difference between forward and reverse DNS lookups.
A forward lookup is the standard name->IP lookup. So, you would have to know all the names in advance.
What you want is to do an IP->name lookup, but somehow get all the names you've applied in your Apache config and in DNS as A records (or CNAMES or whatever).
What you will probably find is that doing a reverse lookup (e.g. dig @nameserver $ip -x) will return the hostname given to that IP by the people who own that netblock, which could be your ISP. It might have a name like 45-23-45-231.big-isp.com, which doesn't mean a whole lot to you. And crucially, there is only one reverse record, but potentially many forward ones.
I suppose it boils down to the question - how does the reverse zone know about any of the records in the forward zone? In most setups, the forward zone is made available to the customer to make changes to, but the reverse zone is maintained by the owners of the netblock. The two systems don't need to know anything about each other to function.
Solution 2:
It's not possible to do it with the DNS protocol itself, because typically there's only one PTR record for each IP address, even though there may be many A records pointing at that IP address.
However some companies (e.g. http://www.ip-adress.com/) have managed to compile databases containing what you're after by storing the results of a whole load of DNS lookups and then offering a reverse-query into their own databases.
Those databases can't be definitive though, they can't guarantee to know about every possible domain that might happen to point at that IP - they can only record the DNS details for the domain names that they've actually looked up.
Solution 3:
The only way to do this, is to have content data of domain name you want to inspect.
With this content you can devellop a recursive script to search hostname relative to your IP (recursive because of eventual CNAME to check).
To get data of some domain name partner, you can ask to be secondary and get DATA with a dig -t axfr.
Solution 4:
I think you're coming at this from the wrong direction. Aside from either a) querying every DNS server in existence for every possible domain name and then storing the result or b) getting zone transfers from the DNS servers you're interested in, there's no way to do this with DNS.
Well, if you're running Apache name-based vhosts, you already have a list of domains that will reach your server. Aside from the default vhost, a name-based vhost will only answer for its' name. So if I point foobar.com at my box, and don't have a foobar.com vhost, it'll either be served by the default or not get answered (if you don't have a default server).
Apache has some very powerful logging features. It shouldn't be a problem to define a custom log format with the request lines you want. Also, there's always the referrer field.
Mail, on the other hand, is a bit more of a pain. About the best thing I can think of is to pick what you can from the server logs and, if you really need to know, setup a packet capture for SMTP.
Solution 5:
You should check for RobTex Not the best web design, but very useful ! You can find out all the DNS associated to an IP.
Of course, as explained Alnitak,
It's not possible to do it with the DNS protocol itself
That means that this website is just a huge database of most DNS/IP servers. That's pretty efficient but not 100% exhaustive.