Listing all the IPs of a given domain name with dig

Question

I wanted to check what's the full list of IPs of a given website (for instance, google.ch). Running dig consistently returns me the same IP:

dig google.ch

google.ch.              136     IN      A       172.217.168.67

But when running an online service such as https://toolbox.googleapps.com/apps/dig/ I can see that consecutive calls return different IP addresses.

Plus, https://www.robtex.com/dns-lookup/google.ch tells me there seem to be 28 IPs associated with this domain name.

Would it be possible for me to also get this info through dig or similar tools or is that out of my control?

Thanks

google.ch resolves to only one ip, so `dig` is working fine. That page says there are 28 IPs because the IP changes based on the location, see https://www.whatsmydns.net/#A/google.ch — the_nuts, Jun 03 '21 at 21:00
to see an example of a domain that returns multiple A records, you can try `stackoverflow.com` — the_nuts, Jun 03 '21 at 21:01
@the_nuts regarding the stackoverflow.com domain, thanks, it does indeed! — devoured elysium, Jun 03 '21 at 21:25
You are missing the entire modern internet by not querying for IPv6. `dig -t AAAA google.ch` — John Mahowald, Jun 04 '21 at 09:57

score 2 · Accepted Answer · answered Jun 03 '21 at 22:24

Would it be possible for me to also get this info through dig or similar tools or is that out of my control?

It is out of your control. You can probably "emulate" the feature, if you do a DNS query from multiple points on the Internet at the same time, and then consider the union of all results. It would still be very approximate.

Why?

Because the DNS server is free to choose whatever algorithms it wants to give you back an answer. For example, if there are load balancers and CDNs involved, you could get a different IP address at each query, indeed for "GeoDNS" reasons or other ones. Or multiple addresses as an answer to a single query. And that can depend on where the query comes from: the DNS server sees the IP address of the recursive DNS server or DNS client doing the request, and sometimes other information (there is an EDNS option for the client to add a subnet IP to encode the real client doing the request, so that the DNS server can theoretically provide a more suited reply; for privacy reasons however this may not be used very often).

Even purely at the DNS level, you have at least two levels of possible variability:

the DNS resolver you use (your dig example did not specific a nameserver explicitly with @ which means you use the locally defined recursive nameserver, which means you can really get absolutely anything as a result, as it is not authoritative; plus of course any serious discussion would need to involve DNSSEC at some point) can be anycasted: hence you may not even always reach the same node, and depending on the provider, the nodes' caches may be shared or not, so you can get completely different replies just based on the case
the DNS authoritative server you reach can also be anycasted, and hence, again you can get completely different replies depending on where you are, and what BGP decided at that time for the routing to be.

Also, finally, more important, why do you need that data? If you specify more your constraints/use case, there may be other ways to achieve what you need. If you consider it still in all generic case, why do you think you need to know "all" IP addresses of google.ch for example? And even if you achieve that, why do you think it is relevant, as the owner can change all of that at any time?

Because for some specific reasons sometimes provider will list the relevant IP addresses. For example a provider of monitoring services, or a search engines, can list which IP addresses they use, so that you can make sure not to block them. But that is just some typical documentation on a website, nothing dynamic nor very related to the DNS as protocol.

PS: don't forget that IPv4 is legacy Internet; you should concentrate on IPv6 nowadays :-)

Hi, thanks for the comprehensive answer! I was just curious, and was (innocently) under the impression that if such a widely used website (google.ch) would have tens of assigned IPs, most likely "load balanced" on every DNS call, such that a straight `dig` call would either always give me a different one or would give me the whole list. — devoured elysium, Jun 03 '21 at 23:35
@devouredelysium You can use a site such as https://www.whatsmydns.net/#A/google.ch to see how the name resolves to different IP addresses depending where the request is initiated from (even if the website uses the inappropriate but wildly used term of "propagation" which doesn't exist in the DNS) — Patrick Mevzek, Jun 03 '21 at 23:51
@devouredelysium "such that a straight dig call would either always give me a different one or would give me the whole list." A DNS server can give you a list indeed (so it is good to depart from the idea that one name = one IP address) but that ought to be all the relevant IP addresses for that given DNS client at that specific time. It can vary both in time and space. A DNS server has no reason to give "all" the IP addresses, it needs to give only the one that the DNS client needs. "Need to know basis" if you want. — Patrick Mevzek, Jun 03 '21 at 23:54

Listing all the IPs of a given domain name with dig

1 Answers1