8

I've got a friend who has been completely abandoned by his previous website guy. Yes, the guy was cut rate, and yes, you get what you pay for.

Anyway, he has asked me to help him untangle all that has been done. Starting now, he wants to know who is actually hosting his website. He knows for sure that the site is registered through GoDaddy, and he previously had the domain hosted there as well. He even prepaid his hosting contract through August 2011 I believe.

Now he's receiving hosting bills from 2 other companies as well (I don't know the names of the other 2 companies at this time). He THINKS that the programmer (who has dropped off the face of the earth) had moved it somewhere, but he doesn't know where it was moved.

Is there any way to tell from a WhoIs or some other method where the site is being hosted? Whois reports 1 IP address, traceroute reports a different IP address.

I'm more than a little outside my comfort zone. Any help or pointers would be much appreciated.

Matt Dawdy
  • 429
  • 1
  • 9
  • 19

6 Answers6

9

Have always found this a useful site.

WHOIS Site

Dave M
  • 4,494
  • 21
  • 30
  • 30
  • 1
    I almost voted you down because I'm an idiot, but then I decided to try your suggestion. That was VERY helpful. – Matt Dawdy Dec 07 '09 at 22:06
7

First off get the IP address of the hosting server

[jim@smokey ~]$ dig www.dogisland.com
;; QUESTION SECTION:
;www.dogisland.com.             IN      A

;; ANSWER SECTION:
www.dogisland.com.      7200    IN      CNAME   dogisland.com.
dogisland.com.          7200    IN      A       69.43.139.149

;; AUTHORITY SECTION:
dogisland.com.          7200    IN      NS      NS1.Realtown.com.
dogisland.com.          7200    IN      NS      DNS1.InternetCrusade.com.

;; Query time: 198 msec
;; SERVER: 208.78.97.155#53(208.78.97.155)
;; WHEN: Mon Dec  7 15:26:34 2009
;; MSG SIZE  rcvd: 127

Notice who handles the "NS" records, they're who is handling the DNS hosting (which is often separate from the web hosting).

Next up, do a reverse DNS lookup on that ip address. Often there are clues in rDNS.

[jim@smokey ~]$ dig -x 69.43.139.149
;; QUESTION SECTION:
;149.139.43.69.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
149.139.43.69.in-addr.arpa. 3600 IN     PTR     web22.icsandiego.com.

;; AUTHORITY SECTION:
139.43.69.in-addr.arpa. 3600    IN      NS      ns1.Realtown.com.
139.43.69.in-addr.arpa. 3600    IN      NS      dns1.internetcrusade.com.

;; Query time: 102 msec
;; SERVER: 208.78.97.155#53(208.78.97.155)
;; WHEN: Mon Dec  7 15:26:48 2009
;; MSG SIZE  rcvd: 140

Looks like "icsandiego" is the host here.

Third, whois the IP address.

[jim@smokey ~]$ whois 69.43.139.149
[Querying whois.arin.net]
[whois.arin.net]
Castle Access Inc ARIN-CASTLE-ALLOC (NET-69-43-128-0-1)
                                  69.43.128.0 - 69.43.207.255
Internet Crusade ICSANDIEGO (NET-69-43-139-0-1)
                                  69.43.139.0 - 69.43.139.255

# ARIN WHOIS database, last updated 2009-12-06 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.

So here I can see that "Internet Crusade ICSANDIEGO" owns the IP address, which lines up with the dns and rdns from before. Given all this I'd google some of those company names and see where it got me.

So, try that for your domain.

cagenut
  • 4,808
  • 2
  • 23
  • 27
  • Fantastic answer. Once I figure out how to to dig on windows, I'll try it. JUST KIDDING! Great answer, though. – Matt Dawdy Dec 07 '09 at 22:07
  • There is a dig tool for Windows. – Dave P Jul 13 '11 at 20:40
  • I found your answer the most useful, being new to finding out this stuff myself. I didn't understand the first answer. I understood yours. The example you gave of the tracing down process made that understanding happen. Thank you. – Steve Aug 23 '14 at 15:09
2

I have found http://www.robtex.com/dns/ a very good DNS search tool that assembles lots of different relevant data.

Joe Koberg
  • 453
  • 1
  • 3
  • 9
1

Check the domain name AND the IP on a whois like http://www.whoeasy.net 1 - With domain name, you get the servers (dns1 and dns2). 2 - With the DNS and/or the IP, you get the new hosting company 3 - You contact this company and check what's wrong with the swindler.

Chris
  • 11
  • 1
1

nslookup hostname_of_site

whois the IP that is returned by nslookup.

Dominic D
  • 1,376
  • 9
  • 10
  • Thanks -- that reports 1 of the 2 that I used before, so maybe that is the real IP address. It says "Non-authoritative answer"...would that make a difference? – Matt Dawdy Dec 07 '09 at 21:28
  • That is the expected response. You'll always receive a non-authoritative answer unless you are directly querying the NS listed in the whois info. That being said, that should be the correct IP and the one that you should whois. – Dominic D Dec 07 '09 at 21:52
1

A non-authorative answer means that your DNS server is giving you an answer for a domain that it's not authorative for, which is normal and expected.

At the end of the day, does it matter who's currently hosting the web site? What you need to determine is who is hosting the DNS zone for the domain in question. Once you have that information, you can contact them and have them point the DNS record for the web site anywhere you wish.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Well, I think he would be fine with whoever is hosting his site. He just wants to make sure he's paying the right one of the 3 companies who are CLAIMING to host his site. Thanks for the answer about nslookup. – Matt Dawdy Dec 07 '09 at 22:03
  • Glad to help. Thanks for the clarification and good luck with it. – joeqwerty Dec 07 '09 at 22:10