You're describing the technique correctly.
dig is a "forward" lookup tool, meaning it takes a name and turns it into an IP address.
IP address to name mapping doesn't have to match.
And, in fact, if the IP address is part of a CDN, a cloud provider, or something else, it may not match.
So, for example, when a connection to 209.87.209.88 hits a rule destined for *.checkpoint.com, we look up 88.209.87.209.in-addr.arpa.
As that results in an NXDOMAIN response, that IP will never be considered part of *.checkpoint.com.