Comments on: how do I find the range of IPs belonging to a domain http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/ Fri, 25 May 2012 21:55:42 +0000 http://wordpress.org/?v=2.6.2 By: sonyfreek http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-38996 sonyfreek Mon, 01 May 2006 18:27:57 +0000 #comment-38996 Another option is Websense or SurfControl. They have proxy avoidance as a category to prevent walking around your blocked sites. You can either maintain lots of blocks yourself or "pay them" to surf, seek out, and properly classify them for you. It became a big problem for us as well and Websense seemed the most logical/cost effective solution. Wayne Another option is Websense or SurfControl. They have proxy avoidance as a category to prevent walking around your blocked sites. You can either maintain lots of blocks yourself or “pay them” to surf, seek out, and properly classify them for you. It became a big problem for us as well and Websense seemed the most logical/cost effective solution.

Wayne

]]> By: astronomer http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-38997 astronomer Mon, 01 May 2006 13:07:51 +0000 #comment-38997 Wayne: Up til now we have done blocking on our PIX. I started looking at squid for this just last week. We have an issue with myspace.com. Several instructors requested we block it because of the disruption it causes in the classrooms and library. Blocking the myspace ranges worked for a while. Now the determined students are using public proxies to bypass our rules. I started blocking public proxies. Finding the range really helps there. Now the problem is escalating. The out-going rules started out nearly empty but now have grown to larger than the incoming rules. I found some open proxy lists amounting to hundreds of addresses. This is completely unmanagable by the pix. I'm looking at building an open proxy block list for the squid and updating it when we get additional complaints. The domain option will help here. Another possibility I would like to try would involve regular expressions but I don't know quite where to begin. If squid can block the request going to the open proxy I wouldn't need a massive open proxy block list. That would be an elegant solution. The problem here is I don't expect the destination URL to be in the normal location. This is an area I know next to nothing about and would require significant investigation. This would be fun to track down but I question whether I can invest the required level of time. Given my other duties as network engineer, I may have to go with the blunderbus approach with the huge list. Eventually I expect to purchase one of those layer 7 filters. Hopefully it will know how to screen the public proxies. Thanks for pointing out the relevant instructions. I plan on using them. rt Wayne:
Up til now we have done blocking on our PIX. I started looking at squid for this just last week.
We have an issue with <a href="http://myspace.com" title="http://myspace. " target="_blank">myspace.com</a>. Several instructors requested we block it because of the disruption it causes in the classrooms and library.
Blocking the myspace ranges worked for a while. Now the determined students are using public proxies to bypass our rules. I started blocking public proxies. Finding the range really helps there. Now the problem is escalating. The out-going rules started out nearly empty but now have grown to larger than the incoming rules. I found some open proxy lists amounting to hundreds of addresses. This is completely unmanagable by the pix.
I’m looking at building an open proxy block list for the squid and updating it when we get additional complaints. The domain option will help here.
Another possibility I would like to try would involve regular expressions but I don’t know quite where to begin. If squid can block the request going to the open proxy I wouldn’t need a massive open proxy block list. That would be an elegant solution.
The problem here is I don’t expect the destination URL to be in the normal location. This is an area I know next to nothing about and would require significant investigation. This would be fun to track down but I question whether I can invest the required level of time. Given my other duties as network engineer, I may have to go with the blunderbus approach with the huge list.
Eventually I expect to purchase one of those layer 7 filters. Hopefully it will know how to screen the public proxies.
Thanks for pointing out the relevant instructions. I plan on using them.
rt

]]> By: sonyfreek http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-38998 sonyfreek Sat, 29 Apr 2006 23:22:32 +0000 #comment-38998 Astronomer, I think that you may be approaching this problem the wrong way. Instead of blocking the destination IP ranges, you should be blocking anything that attempts to connect to that domain. I don't know how you're setup, but if you have a proxy server between your users and the Internet, such as squid, you can set it to deny based on domain name, IP Address/Range, regular expressions (extremely cool), time, url regular expressions, ports, protocols, method, browser, user id, and the list goes on. In your case, you'd setup the following (domain based): ; Define ACLs acl deny_g dstdomain .google.com ; Match domain google.com acl deny_g_rex url_regex -i google ; Match regular expression, which is case insensitive ; Implement ACLs http_access deny deny_g ; Blocks access to google domain http_access deny deny_g_rex ; Blocks word google within the URL - case-insensitive Here's the only Squid book you'll ever need: http://squid.visolve.com/squid/squid24s1/access_controls.htm Wayne Astronomer,

I think that you may be approaching this problem the wrong way. Instead of blocking the destination IP ranges, you should be blocking anything that attempts to connect to that domain. I don’t know how you’re setup, but if you have a proxy server between your users and the Internet, such as squid, you can set it to deny based on domain name, IP Address/Range, regular expressions (extremely cool), time, url regular expressions, ports, protocols, method, browser, user id, and the list goes on. In your case, you’d setup the following (domain based):
; Define ACLs
acl deny_g dstdomain <a href="http://.google.com" title="http://.google. " target="_blank">.google.com</a> ; Match domain <a href="http://google.com" title="http://google. " target="_blank">google.com</a>
acl deny_g_rex url_regex -i google ; Match regular expression, which is case insensitive

; Implement ACLs
http_access deny deny_g ; Blocks access to google domain
http_access deny deny_g_rex ; Blocks word google within the URL - case-insensitive

Here’s the only Squid book you’ll ever need:
<a href="http://squid.visolve.com/squid/squid24s1/access_controls.htm" rel="nofollow">http://squid.visolve.com/squid/squid24s1/access_controls.htm</a>

Wayne

]]> By: astronomer http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-38999 astronomer Fri, 28 Apr 2006 13:53:49 +0000 #comment-38999 Thanks Joshua: That is how I did it the last time. When I stumbled across it the first time I didn't think about it as a special method. Now I know better. I'm going to write this down and tell my friends so I don't forget again. rt Thanks Joshua:
That is how I did it the last time. When I stumbled across it the first time I didn’t think about it as a special method. Now I know better. I’m going to write this down and tell my friends so I don’t forget again.
rt

]]> By: joshua2 http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-39000 joshua2 Fri, 28 Apr 2006 13:04:18 +0000 #comment-39000 To see their entire subnet, you take the IP address(es) from the nslookup (of their A record) and put that address into a Whois at www.arin.net. The results from arin will show the entire subnet. For instance: 1) A record on www.network-tools.com is 66.98.244.117 2) Arin.net whois for 66.98.244.117 shows a CIDR of 66.98.128.0/17. Go to www.dnsstuff.com or www.network-tools.com for some graphical lookup tools. To see their entire subnet, you take the IP address(es) from the nslookup (of their A record) and put that address into a Whois at <a href="http://www.arin.net" rel="nofollow">http://www.arin.net</a>. The results from arin will show the entire subnet. For instance:
1) A record on <a href="http://www.network-tools.com" rel="nofollow">http://www.network-tools.com</a> is 66.98.244.117
2) <a href="http://Arin.net" title="http://Arin. " target="_blank">Arin.net</a> whois for 66.98.244.117 shows a CIDR of 66.98.128.0/17.

Go to <a href="http://www.dnsstuff.com" rel="nofollow">http://www.dnsstuff.com</a> or <a href="http://www.network-tools.com" rel="nofollow">http://www.network-tools.com</a> for some graphical lookup tools.

]]> By: petkoa http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-39001 petkoa Fri, 28 Apr 2006 11:19:26 +0000 #comment-39001 Hi astronomer, You probably did this years ago when it was generally accepted to allow zone transfers without much fuss... You may use any of: host -l some.domain.name , dig -t axfr some.domain.name , or "ls some.domain.name" in the interactive shell of nslookup but odds that yol'll get an answer are tiny. BR and good luck, Petko Hi astronomer,

You probably did this years ago when it was generally accepted to allow zone transfers without much fuss… You may use any of:

host -l <a href="http://some.domain.name" title="http://some.domain. " target="_blank">some.domain.name</a> ,

dig -t axfr <a href="http://some.domain.name" title="http://some.domain. " target="_blank">some.domain.name</a> , or

“ls <a href="http://some.domain.name" title="http://some.domain. " target="_blank">some.domain.name</a>” in the interactive shell of nslookup

but odds that yol’ll get an answer are tiny.

BR and good luck,

Petko

]]> By: rjournitz574 http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-39002 rjournitz574 Thu, 27 Apr 2006 17:26:18 +0000 #comment-39002 Hi: I am not sure if this will get all of what you need but you could try to do a DNS lookup from the command line for example nslookup myspace.com returned 4 address spaces as follows 63.208.226.43, 63.208.226.40, 63.208.226.41, 63.208.226.42. You could pipe the return information into a log file that you can then parse for whatever use you may need. Let us know if this works for you. RWJ Hi:

I am not sure if this will get all of what you need but you could try to do a DNS lookup from the command line for example

nslookup <a href="http://myspace.com" title="http://myspace. " target="_blank">myspace.com</a>

returned 4 address spaces as follows

63.208.226.43, 63.208.226.40, 63.208.226.41, 63.208.226.42.

You could pipe the return information into a log file that you can then parse for whatever use you may need.

Let us know if this works for you.

RWJ

]]> By: astronomer http://itknowledgeexchange.techtarget.com/itanswers/how-do-i-find-the-range-of-ips-belonging-to-a-domain/#comment-39003 astronomer Thu, 27 Apr 2006 17:00:20 +0000 #comment-39003 I did it before. I was able to discover that a certain domain was linked to two independant class C nets and a group of four contiguous class Cs. The really irritating thing is I don't remember where I went to get this information. rt I did it before. I was able to discover that a certain domain was linked to two independant class C nets and a group of four contiguous class Cs.
The really irritating thing is I don’t remember where I went to get this information.
rt

]]>