23

Not on purpose I did a reverse IP address look up on my site, and it shows that there are three other websites hosted on my server, and now I'm worried.

My web is arturofm.com, and here is the lookup:

https://reverseip.domaintools.com/search/?q=arturofm.com

It says:

Reverse IP Lookup Results — more than 3 domains hosted on IP address 104.27.182.86

What does that mean? That I've been hacked? Or that Amazon AWS uses the same IP address to serve multiple domains?

curiousguy
  • 5,028
  • 3
  • 25
  • 27
Arturo
  • 363
  • 3
  • 8
  • `PTR` records in the DNS have little use (except for emails), so their value can be mostly disregarded. A website will perfectly function even if there is no matching PTR records (from its IP back to its name). In a world with multiple CDNs and cloudhosting it is just impossible to imagine PTR records be in sync. Also many applications may not support multiple PTR records for a given IP address. – Patrick Mevzek Sep 06 '19 at 19:35
  • 1
    The tool linked in the question apparently does not use reverse IP lookup (e.g., there is no PTR RR for 86.182.27.104.in-addr.arpa). Its "patented" method also seems quite unreliable: I fed it with a hostname whose forward (and matching reverse) DNS has pointed to the same address for about a year, but the results shown were for the ip from an A record that the domain one level higher had in the past, but that has been changed recently (and its old TTL long expired) – Hagen von Eitzen Sep 07 '19 at 17:26
  • 1
    Btw: [tag:ipv6] was invented decades ago to avoid these problems. – Martin Schröder Sep 08 '19 at 15:49
  • 2
    Even single web server process can handle multiple domains through the HTTP header `Host`. – md2perpe Sep 08 '19 at 20:24
  • Yeah I've hosted 6 domains on my home server before, no problems – FreeSoftwareServers Sep 09 '19 at 08:02

4 Answers4

69

This is not a sign of a problem for your server. There's an important detail here, which is:

104.27.182.86 is not your server. That IP belongs to cloudflare.

Cloudflare provides a large number of services to websites and sits in between the public internet and a server. Someone who uses Cloudflare doesn't point their DNS to their own server - they point their DNS to Cloudflare, and then point Cloudflare to their server. As a result, millions of websites point to Cloudflare's IP addresses. Because they service more websites than they have IP addresses, they often direct multiple websites to the same IP address.

Apparently you use Cloudflare, and so the DNS for your domain points to them, not to your own IP address. When your Cloudflare account was setup, you (or whoever set it up) would have pointed Cloudflare to the actual IP address of your server. You can confirm this in two ways:

  1. Here is the list of IP addresses owned by Cloudflare. If you are unfamiliar with CIDR notation, the line which says 104.16.0.0/12 is of interest to you, as it includes all IPs from 104.16.0.0 to 104.31.255.255. AKA, 104.27.182.86 is owned by Cloudflare, not AWS.
  2. If you check your Elastic IP in AWS, you'll see that it is something other than 104.27.182.86. Only Cloudflare knows the actual IP of your server - this is one of the advantages it provides, and one of the reasons why people use it. Cloudflare sits in the middle so that the person requesting to view your website never communicates directly with your server. In this way, Cloudflare is able to protect your server from a wide variety of attacks.

Additional Notes

The above details should make it clear that this is not evidence that you have been compromised. However, here are some more related details for future reference:

  1. Shared hosting sites will have multiple domains served from one IP address. However, to the best of my knowledge, AWS does not offer such services. If you sign up for a VPS directly from AWS, you should expect to be the only one hosting any services on the given IP address
  2. Therefore, if you discovered that the DNS for other domains was pointing to the IP address of your VPS on AWS, and confirmed that the sites in question are actually being hosted on that IP address, then yes this would be a sign that your site had been hacked.
  3. Fortunately, 104.27.182.86 is not the IP address of your server :)
Community
  • 1
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • 3
    This should be the accepted answer because it answers the question that was asked. – Criggie Sep 07 '19 at 09:06
  • Another good example of this is Google Firebase Hosting; when you go to add a custom domain, it tells you to set your A record to point to two specific IP addresses. Those IP addresses are the same for everyone, for every one of their projects, for every one of their domains. You can't visit the IP address directly and access a website; you get a "site not found" error message. – Herohtar Sep 08 '19 at 06:19
  • Good explanation, I really like the part about comparing the IP he found via the lookup and the AWS console's elastic IP. This proves beyond a doubt it has nothing to do with AWS really. – FreeSoftwareServers Sep 09 '19 at 11:47
32

This is perfectly normal. There is a big shortage of IPv4 addresses. In fact, we should have run out of them a long time ago. But since so much infrastructure is based on IPv4, it keeps getting "extended" in many ways. One of them, which has actually been around for a very long time, is to host multiple domains on a single server with a single IP address.

A typical inexpensive shared hosting account will share a server, and an IP address, with dozens, even hundreds of other small hosting accounts. A VPS (virtual private server) or similar account might be one of a handful on a server, though each VPS may in turn host many domains.

AWS is a little different in that you pay for fairly clearly defined amounts of hardware (CPU cores, RAM, etc.), but except for the largest instances you are still using only a fraction of an actual machine.

It is often possible to get a truly unique IPv4 address. With AWS, this is Elastic IP. Other hosting companies may have other names for it. For example, my favorite host used to offer separate IP addresses for a small fee to use with SSL certificates. There is no problem these days getting SSL certificates with a shared IPv4 address, so I use the shared IPv4 address and don't worry about it.

In the case of AWS, the big advantage of an Elastic IP is not, IMHO, that you have the IP address to yourself. Rather, it is that the IP address is constant even when you restart an instance or if you move your domain to a different (e.g., larger) instance. That can save some hassle with DNS changes.

Peter Mortensen
  • 877
  • 5
  • 10
manassehkatz-Moving 2 Codidact
  • 437
  • 4
  • 6
  • 3
    thank you guys I was worried for a second. I knew about the IPv4 but didn't think my server had one, I thought it was only the storage. Btw, I do have an elastic IP – Arturo Sep 06 '19 at 02:42
  • 5
    There is some info here that is wrong. In particular, while it is true that you can have more than one VPS running on one physical machine, each VPS will have its own IP address. Similarly, Elastic IP's have nothing to do with getting the IP to yourself. Any IP address assigned to you by AWS will only be used by yourself. An Elastic IP is simply an IP address that is fixed to your account, and won't be reassigned to someone else if your service shuts down/restarts. – Conor Mancone Sep 06 '19 at 04:01
  • 9
    VPS does not necessarily have its own IP. Some cheap hosting providers will only forward a few ports. HTTP isn't the only use case, there are commonly used for gaming, VPN. – domen Sep 06 '19 at 07:00
  • 1
    "One of them, which has actually been around for a very long time, is to host multiple domains on a single server with a single IP address." This was the Killer Feature of the Apache webserver back in the late 90s. If you used IIS or the Netscape webserver it was one IP to one domain name. Early versions of Apache (in the 1.3.x branch IIRC) added the ability to have what are now called name based virtual hosts. – ivanivan Sep 08 '19 at 14:31
  • How about NAT too! That saved a lot of IPv4 – FreeSoftwareServers Sep 09 '19 at 08:03
  • @FreeSoftwareServers: Not for servers. NAT is a specifically for clients. – MSalters Sep 09 '19 at 08:40
  • @MSalters I was referring to how NAT helped with the shortage of IPv4 addresses which this answer discusses. Also, I have no idea what you mean about servers vs clients an IP address doesn't care what device is on the other end. https://en.wikipedia.org/wiki/Network_address_translation – FreeSoftwareServers Sep 09 '19 at 11:41
6

Looks like you just found out how a Load Balancer inside a CDN with SNI works

You can also check others hosts (SANs) behind this particular CDN with OpenSSL, like so: 

echo | openssl s_client -showcerts -servername arturofm.com -connect arturofm.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

...or you can use your browser's certificate viewer:

Certificate details

mjoao
  • 886
  • 1
  • 5
  • 5
  • 1
    The content of the certificate is unrelated to the DNS PTR records. – Patrick Mevzek Sep 06 '19 at 19:33
  • 1
    The certificate from Cloudflare shows very good how many domains they host on this ip (unlike the ptr record) – eckes Sep 06 '19 at 23:49
  • 1
    @eckes no it doesn't - this same certificate may be used with many IP addresses – OrangeDog Sep 07 '19 at 22:06
  • 1
    @eckes and the certificate to be served may be selected based on SNI/ESNI data as well. You can even have different certificates for the same SAN/CN (for example, if you have multiple servers with SSL termination at the server instead of a front-end load balancer of some kind). There is no longer any one-to-one mapping between hostnames, IP addresses, and certificates. – user Sep 08 '19 at 19:55
2

HTTP 1.1 added a "host" header, to allow multiple web hostnames to use the same IP address. Each website no longer has it's own unique IP, not for the last 20 years or so.

Originally, when the WWW was invented, there were still plenty of IPv4 addresses to go around. So each DNS hostname pointed to one IP address. So a webserver knew which host the client wanted, itself! Because it was the only one serving that IP address and therefore that hostname. One DNS name equalled one IP address.

It has always (AFAIK!) been legal for several domain names to point to the same IP address. When IP addresses started to run out, this practice became more common. There are more hostnames now that there are IP addresses. A particular www server is no longer distinguished by having it's own IP address. Now, several hostnames resolve to one IP address. But how can a server, living on one IP address, know which of it's "aliases", it's hostnames, it's supposed to be acting as?

So they invented HTTP 1.1, which added a "host" header, to solve this problem. Instead of a site's hostname being implicitly "me!", it's now sent as a header, and the web server, or some front end, can decide from that how to handle a request, which web site it's supposed to be acting as, and possibly hand over to some other bit of software to do the work.

All in the name of sticking with IPv4 til the bloody end! Til the world is a desert, scattered with broken thermionic valves and uranium, and the last two living human beings, if you can call them that, fight to the death for the last routable address.

To answer your question, "It's normal. It's fine!"

Greenaum
  • 205
  • 1
  • 2