1

I was reading through No Starch's Metasploit book when I came across a segment which showed the results of running the 'whois' command on a hostname and then on it's corresponding IP only to yield different results.

> whois secmaniac.net [*] exec: whois secmaniac.net Registered through: GoDaddy.com Domain Name: SECMANIAC.NET Created on:.. ..

Then, using Netcraft, the IP for this domain was found.

> whois 75.118.185.142 [*] exec: whois 75.118.185.142 WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 - 75.118.255.255 WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1) 75.118.184.0 - 75.118.191.255

How exactly do these two yield different results? If my understanding is correct, hostnames and IPs are two sides of the same coin with the DNS server playing Harvey Dent.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Izy-
  • 853
  • 1
  • 8
  • 17
  • 5
    `whois` looks up details of who owns a given domain name or IP address. That doesn't necessarily correspond to who is using it: for example, `46.137.192.1` belongs to Amazon, but could be used by potentially any AWS client at a given time. – Matthew Dec 14 '17 at 16:27
  • It is not clear for me how this question relates to information security. And why the OP has added a `metasploit` tag to this question (I've removed it). – Steffen Ullrich Dec 14 '17 at 16:31

4 Answers4

3

This is normal. The ownership of most domains will not match the IP addresses they point to. Where they will "match" is for ISPs and very large organisations. They will generally not match for small companies and personal domains.

The reason for this is that ISPs and very large organisations will actually own their IP addresses but smaller companies generally rent them from an ISP. This is by no means guaranteed. Even large organisations can still rent thousands of IP addresses from another company.

Although I own my domain, I point it at an IP address that is owned by Amazon. Stackexchange points their domains at IP addresses owned by Fastly.

IP addresses can exist and be owned even if there are no domains pointing to them. Domains can point to IP addresses that don't exist or even IP addresses that can't be owned, such as 127.0.0.1. Domains can point to multiple IP addresses.

In addition to all of this, the definition of "matching" is not clear. Even when a company owns both the domains and the IP addresses, the record returned by a whois command is still different and requires a bit of intelligent fuzzy matching to determine that it represents the same entity. For instance Amazon:

whois of the domain:

Domain Name: AMAZON.COM
Registry Domain ID: 281209_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-04-30T19:24:35Z
Creation Date: 1994-11-01T05:00:00Z
Registry Expiry Date: 2022-10-31T04:00:00Z
Registrar: MarkMonitor Inc.  
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740

whois of one of their IP addresses:

OrgName:        Amazon.com, Inc.
OrgId:          AMAZON-4
Address:        1918 8th Ave
City:           SEATTLE
StateProv:      WA
PostalCode:     98101-1244
Country:        US
RegDate:        1995-01-23
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/AMAZON-4

And Google: whois of google.com:

Domain Name: GOOGLE.COM
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2011-07-20T16:55:31Z
Creation Date: 1997-09-15T04:00:00Z
Registry Expiry Date: 2020-09-14T04:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740

whois of a Google IP address:

NetRange:       172.217.0.0 - 172.217.255.255
CIDR:           172.217.0.0/16
NetName:        GOOGLE
NetHandle:      NET-172-217-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2012-04-16
Updated:        2012-04-16
Ref:            https://whois.arin.net/rest/net/NET-172-217-0-0-1

Even the fields are not consistent across different whois servers. Amazon sends OrgName while Google sends Organization.

They may not even be consistent within a single organisation. This is owned by Facebook:

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET69 (NET-69-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc. (THEFA-3)
RegDate:        2010-08-05
Updated:        2012-02-24
Ref:            https://whois.arin.net/rest/net/NET-69-171-224-0-1
OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 Willow Rd.
City:           Menlo Park
StateProv:      CA
PostalCode:     94025
Country:        US
RegDate:        2004-08-11
Updated:        2012-04-17
Ref:            https://whois.arin.net/rest/org/THEFA-3

This is also owned by Facebook:

inet6num:       2a03:2880::/29
netname:        IE-FACEBOOK-201100822
country:        IE
org:            ORG-FIL7-RIPE
admin-c:        RD4299-RIPE
tech-c:         RD4299-RIPE
status:         ALLOCATED-BY-RIR
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      fb-neteng
mnt-routes:     fb-neteng
created:        2015-09-24T12:59:37Z
last-modified:  2016-04-14T10:48:51Z
source:         RIPE # Filtered
organisation:   ORG-FIL7-RIPE
org-name:       Facebook Ireland Ltd
org-type:       LIR
address:        4 GRAND CANAL SQUARE ,
                GRAND CANAL HARBOUR ,
address:        D2
address:        Dublin
address:        IRELAND
phone:          +0016505434800
fax-no:         +0016505435325
admin-c:        PH4972-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        fb-neteng
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        RD4299-RIPE
created:        2011-04-07T13:16:29Z
last-modified:  2017-10-30T14:51:29Z
source:         RIPE # Filtered
Ladadadada
  • 5,163
  • 1
  • 24
  • 41
1

hostnames and IPs are two sides of the same coin

No they are not.

In this context a hostname is simply a published label associated with an IP address (it has different semantics to an HTTP aware device, and to a host itself). There is nothing to stop my adding an A record to a domain I own referencing 75.118.185.142. The only relevant constraint is that I can't register SECMANIAC.NET because that already belongs to someone else. If I were being naughty, I could set up a DNS server with a zone for SECMANIAC.NET - but nobody should refer any DNS queries to it.

OTOH, IP addresses have a specific constraint that they are (to some extent) routable - i.e. tied to a physical location.

This is why A records rarely match up with PTR records except for large scale organizations.

symcbean
  • 18,278
  • 39
  • 73
1

You are basically querying two different databases run by different organizations so there is almost never a chance things will be synchronized, since also the registrations in both databases is not done at the same time.

It just happens that you can use the same tool and protocol to do both queries, but they are completely unrelated, as is the data returned.

When you do a whois with a domain name you are querying a domain name registry, also known as a TLD registry, getting its authoritative status on domains names in a given TLD per delegation from the root DNS which involves both technical and non technical operations. See the IANA website at https://www.iana.org/domains/root/db for the current list of them and note that each page has a link to their specific whois server (whois is a very poorly defined protocol with no (standard) service to discover the appropriate server nor to switch from one to another in case of thin registries)

When you do a whois query, by default, with an IP address you are querying an IP Registry also called a RIR, which are very few of them (see https://en.wikipedia.org/wiki/Regional_Internet_registry), where you have hundreds of domain name registries. In the result you will see who has this block allocated to, if anyone.

Registration policies in both cases, as well as eligibility requirements or control on data provided is very different among the above two worlds. Where anyone can buy (actually more like rent) a domain name and just keep it without any kind of active service on it, it is not so simple to buy IP addresses/blocks. In the last case you have often to prove your usage beforehand, because the IP addresses space is a far more constrained one (at least before IPv6) than the domain name one.

I said by default above because you can technically do a whois query with an IP towards a domain name registry (but you will need to add a flag to your whois client to target the specific domain name registry whois as by default they query the RIRs). In that case, depending on the registry, you may get back as a reply the list of nameservers registered at this given registry and having the given IP recorded with them. See example at section "Nameserver Data:" on https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en (so this in fact mostly apply to gTLDs registries which are using hosts as objects and not attributes in EPP jargon).

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23
0

While one particular host name and one particular IP-address may belong to the same host, there are two different name spaces at play, with different entities who "own" (or are responsible for) those addresses.

DNS

when you register a domain you own it, you are responsible for it, you can assign/create sub-domains and hostnames. But those are just names - no IP-addresses provided.

IP

To make any host accessible you have to give it an IP-address and "everybody" on the internet must know what paths to use to access it. So you must obtain that address from someone who provides connectivity. Here we have just IP-addresses, no names are necessary.

guntbert
  • 1,825
  • 2
  • 18
  • 21