Apache Security - Ivan Ristic [167]
;; ADDITIONAL SECTION:
ns1.sonic.net. 105840 IN A 208.201.224.11
ns2.sonic.net. 105840 IN A 208.201.224.33
ns.oreilly.com. 79648 IN A 209.204.146.21
smtp2.oreilly.com. 21011 IN A 209.58.173.10
;; Query time: 2 msec
;; SERVER: 217.160.182.251#53(217.160.182.251)
;; WHEN: Wed Jun 2 15:54:00 2004
;; MSG SIZE rcvd: 262
This type of query reveals basic information about a domain name, such as the name servers and the mail servers. We can gather more information by asking a specific question (e.g., "What is the address of the web site?"):
$ dig www.oreilly.com
;; QUESTION SECTION:
;www.oreilly.com. IN A
;; ANSWER SECTION:
www.oreilly.com. 20269 IN A 208.201.239.36
www.oreilly.com. 20269 IN A 208.201.239.37
The dig tool converts IP addresses into names when the -x option is used:
$ dig -x 208.201.239.36
;; QUESTION SECTION:
;36.239.201.208.in-addr.arpa. IN PTR
;; ANSWER SECTION:
36.239.201.208.in-addr.arpa. 86381 IN PTR www.oreillynet.com.
You can see that this reverse query of the IP address from looking up the domain name oreilly.com gave us a whole new domain name.
A zone transfer is a service where all the information about a particular domain name is transferred from a domain name server. Such services are handy because of the wealth of information they provide. For the same reason, the access to a zone transfer service is often restricted. Zone transfers are generally not used for normal DNS operation, so requests for zone transfers are sometimes logged and treated as signs of preparation for intrusion.
* * *
Tip
If you have an address range, you can gather information similar to that of a zone transfer by performing a reverse lookup on every individual IP address.
* * *
Regional Internet Registries
You have probably discovered several IP addresses by now. IP addresses are not sold; they are assigned to organizations by bodies known as Regional Internet Registries (RIRs). The information kept by RIRs is publicly available. Four registries cover address allocation across the globe:
APNIC
Asia-Pacific Network Information Center (http://www.apnic.net)
ARIN
American Registry for Internet Numbers (http://www.arin.net)
LACNIC
Latin American and Caribbean Internet Address Registry (http://www.lacnic.net)
RIPE NCC
RIPE Network Coordination Centre (http://www.ripe.net)
Registries do not work with end users directly. Instead, they delegate large blocks of addresses to providers, who delegate smaller chunks further. In effect, an address can be assigned to multiple parties. In theory, every IP address should be associated with the organization using it. In real life, Internet providers may not update the IP address database. The best you can do is to determine the connectivity provider of an organization.
IP assignment data can be retrieved from any active whois server, and different servers can give different results. In the case below, I just guessed that whois.sonic.net exists. This is what we get for one of O'Reilly's IP addresses:
$ whois -h whois.sonic.net 209.204.146.21
[Querying whois.sonic.net]
[whois.sonic.net]
You asked for 209.204.146.21
network:Class-Name:network
network:Auth-Area:127.0.0.1/32
network:ID:NETBLK-SONIC-209-204-146-0.127.0.0.1/32
network:Handle:NETBLK-SONIC-209-204-146-0
network:Network-Name:SONIC-209-204-146-0
network:IP-Network:209.204.146.0/24
network:IP-Network-Block:209.204.146.0 - 209.204.146.255
network:Org-Name:John Irwin
network:Email:ora@sonic.net
network:Tech-Contact;Role:SACC-ORA-SONIC.127.0.0.1/32
network:Class-Name:network
network:Auth-Area:127.0.0.1/32
network:ID:NETBLK-SONIC-209-204-128-0.127.0.0.1/32
network:Handle:NETBLK-SONIC-209-204-128-0
network:Network-Name:SONIC-209-204-128-0
network:IP-Network:209.204.128.0/18
network:IP-Network-Block:209.204.128.0 - 209.204.191.255
network:Org-Name:Sonic Hostmaster
network:Email:ipowner@sonic.net
network:Tech-Contact;Role:SACC-IPOWNER-SONIC.127.0.0.1/32
Search engines
Search engines have become a real