how do I find the range of IPs belonging to a domain
There are some sites we need to block and it is more efficient to block the entire IP range that belongs to a DNS domain than to try to find each individual web server. One example is myspace.com. Their web sites are spread over several class C ranges.
I know there was a way to find the ranges used by specific domains because I used it before. Since my laptop died I haven't been able to remember where to go to find an IP range that corresponds to a domain.
I would appreciate it if someone pointed me to the link.
Thanks.
rt
Software/Hardware used:
Software/Hardware used:
ASKED:
April 27, 2006 12:52 PM
UPDATED:
May 1, 2006 6:27 PM
Answer Wiki:
You don't. There is no such relation in the Internet.
What you can find is which IPs belong to a certain company. But there is no standard query for this lookup, only the reverse (which company owns this IP).
Now lets make a little experiemnt and look into searchopensource.techtarget.com specifically
% host searchopensource.techtarget.com
searchopensource.techtarget.com is an alias for sites.techtarget.com.
sites.techtarget.com has address 65.214.43.37
% whois 65.214.43.37
[whois.arin.net]
UUNET Technologies, Inc. UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
TechTarget.com UU-65-214-43 (NET-65-214-43-0-1)
65.214.43.0 - 65.214.43.255
this tells us that this site is in a 65.214.43.0/24 network owned by TechTarget.com, and that their ISP is UUNET Technologies.. Now we continue quering the same registry (ARIN == American Registry for Internet Numbers) to see what TechTarget.com has in that area
% whois TechTarget.com@whois.arin.net
[whois.arin.net]
CustName: TechTarget.com
Address: 117 Kendrick Street Ste 800
City: Needham
StateProv: MA
PostalCode: 02494
Country: US
RegDate: 2001-12-29
Updated: 2003-05-30
NetRange: 65.214.43.0 - 65.214.43.255
CIDR: 65.214.43.0/24
NetName: UU-65-214-43
NetHandle: NET-65-214-43-0-1
Parent: NET-65-192-0-0-1
NetType: Reassigned
Comment:
RegDate: 2001-12-29
Updated: 2003-05-30
So it seems this is the only address space they have registered in America. But they may well have addresses in other areas of the world, and not all registrys is as easy to query.
You also need to remember that this gives you just IP addresses, not sites. There may be other "innocent" sites in the same IP range. Mort certainly so if you find IP addresses not owned by the same company as the domain as they then are quire likely hosted in a web hotel, maybe even with a virtual domain hosting sharing the same IP with many other domains.
To see all answers submitted to the Answer Wiki: View Answer History.
I did it before. I was able to discover that a certain domain was linked to two independant class C nets and a group of four contiguous class Cs.
The really irritating thing is I don’t remember where I went to get this information.
rt
Hi:
I am not sure if this will get all of what you need but you could try to do a DNS lookup from the command line for example
nslookup myspace.com
returned 4 address spaces as follows
63.208.226.43, 63.208.226.40, 63.208.226.41, 63.208.226.42.
You could pipe the return information into a log file that you can then parse for whatever use you may need.
Let us know if this works for you.
RWJ
Hi astronomer,
You probably did this years ago when it was generally accepted to allow zone transfers without much fuss… You may use any of:
host -l some.domain.name ,
dig -t axfr some.domain.name , or
“ls some.domain.name” in the interactive shell of nslookup
but odds that yol’ll get an answer are tiny.
BR and good luck,
Petko
To see their entire subnet, you take the IP address(es) from the nslookup (of their A record) and put that address into a Whois at http://www.arin.net. The results from arin will show the entire subnet. For instance:
1) A record on http://www.network-tools.com is 66.98.244.117
2) Arin.net whois for 66.98.244.117 shows a CIDR of 66.98.128.0/17.
Go to http://www.dnsstuff.com or http://www.network-tools.com for some graphical lookup tools.
Thanks Joshua:
That is how I did it the last time. When I stumbled across it the first time I didn’t think about it as a special method. Now I know better. I’m going to write this down and tell my friends so I don’t forget again.
rt
Astronomer,
I think that you may be approaching this problem the wrong way. Instead of blocking the destination IP ranges, you should be blocking anything that attempts to connect to that domain. I don’t know how you’re setup, but if you have a proxy server between your users and the Internet, such as squid, you can set it to deny based on domain name, IP Address/Range, regular expressions (extremely cool), time, url regular expressions, ports, protocols, method, browser, user id, and the list goes on. In your case, you’d setup the following (domain based):
; Define ACLs
acl deny_g dstdomain .google.com ; Match domain google.com
acl deny_g_rex url_regex -i google ; Match regular expression, which is case insensitive
; Implement ACLs
http_access deny deny_g ; Blocks access to google domain
http_access deny deny_g_rex ; Blocks word google within the URL – case-insensitive
Here’s the only Squid book you’ll ever need:
http://squid.visolve.com/squid/squid24s1/access_controls.htm
Wayne
Wayne:
Up til now we have done blocking on our PIX. I started looking at squid for this just last week.
We have an issue with myspace.com. Several instructors requested we block it because of the disruption it causes in the classrooms and library.
Blocking the myspace ranges worked for a while. Now the determined students are using public proxies to bypass our rules. I started blocking public proxies. Finding the range really helps there. Now the problem is escalating. The out-going rules started out nearly empty but now have grown to larger than the incoming rules. I found some open proxy lists amounting to hundreds of addresses. This is completely unmanagable by the pix.
I’m looking at building an open proxy block list for the squid and updating it when we get additional complaints. The domain option will help here.
Another possibility I would like to try would involve regular expressions but I don’t know quite where to begin. If squid can block the request going to the open proxy I wouldn’t need a massive open proxy block list. That would be an elegant solution.
The problem here is I don’t expect the destination URL to be in the normal location. This is an area I know next to nothing about and would require significant investigation. This would be fun to track down but I question whether I can invest the required level of time. Given my other duties as network engineer, I may have to go with the blunderbus approach with the huge list.
Eventually I expect to purchase one of those layer 7 filters. Hopefully it will know how to screen the public proxies.
Thanks for pointing out the relevant instructions. I plan on using them.
rt
Another option is Websense or SurfControl. They have proxy avoidance as a category to prevent walking around your blocked sites. You can either maintain lots of blocks yourself or “pay them” to surf, seek out, and properly classify them for you. It became a big problem for us as well and Websense seemed the most logical/cost effective solution.
Wayne