How to find all IP addresses and/or subnet(s) associated with a FQDN hostname?

2

1

Like many, switching over to privacy centric VPNs has its quirks. One such quirk is that certain sites and web apps just won't work without a non-anonymizing VPN IP for your connection.

Let's take Netflix for example. Traditionally one would pick and dig for their IP addresses by resolving host names and going into their DNS tables...

But is there a method for popping in a website as though visiting it and then having all of the IP addresses and/or subnets associated therewith to come back in a list?

OpenVPN and such tools allow these IP addresses or even subnets to be masked so as to allow such services to pass through your ISP vs the VPN, but one needs to isolate these addresses first.

I'm just looking for a much more efficient way to get these in order to add them to our exception tables.

ylluminate

Posted 2018-03-01T23:37:24.117

Reputation: 760

Answers

2

No.

There are a number of reasons this is not possible. The key factors are : Web servers are typically configured to answer on any IP address and use the provided domain name to produce content - thus a web server will typically not know what IP's are meaningful to it - and - even on the rare few that do - they won't disclose these to viewers because its a security risk.

This needs to be coupled with CDNs and other distributed and cloud networks - where IP addresses change from time, and based on the source location - even DNS will return different results.

Also, a FQDN can not be associated with a subnet - its like comparing Oranges and eggplants - they really are not comparable in any way.

davidgo

Posted 2018-03-01T23:37:24.117

Reputation: 49 152

If it were possible, @Hack's answer is the way to go. But I agree with davidgo that due to the highly dynamic nature way in which sites like NetFlix source their content, it would amount to grasping the wind. – I say Reinstate Monica – 2018-03-02T03:01:19.937

@TwistyImpersonator I have seen, at one point, a Netflix subnet (it may have been more than one) work fine for a couple years for a friend... Likewise, someone who used PIA was able to use several Google subnets to get by their incessant griping about IP change. They did the same with Amazon since there were some quirks there too. The idea is to be able to build these ip or subnet lists readily in order to update the exception list to pass through the local gateway vs the vpn. – ylluminate – 2018-03-02T03:16:51.060

0

The answer to the main question is "dig" but there may be more to this, beyond your direct question.

Dig is a DNS tool found in most *NIX systems. It does not come with Windows. There are online versions of dig.

DIG EXAMPLE:

id 55166
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
netflix.com. IN ANY
;ANSWER
netflix.com. 59 IN A 34.227.4.120
netflix.com. 59 IN A 35.153.58.124
netflix.com. 59 IN A 34.234.59.120
netflix.com. 59 IN A 34.236.214.109
netflix.com. 59 IN A 34.238.74.93
netflix.com. 59 IN A 34.229.8.114
netflix.com. 59 IN A 54.85.172.124
netflix.com. 59 IN A 52.20.168.249
netflix.com. 14399 IN NS ns-1372.awsdns-43.org.
netflix.com. 14399 IN NS ns-1984.awsdns-56.co.uk.
netflix.com. 14399 IN NS ns-659.awsdns-18.net.
netflix.com. 14399 IN NS ns-81.awsdns-10.com.
netflix.com. 899 IN SOA ns-81.awsdns-10.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 1800
netflix.com. 59 IN MX 1 aspmx.l.google.com.
netflix.com. 59 IN MX 10 aspmx2.googlemail.com.
netflix.com. 59 IN MX 10 aspmx3.googlemail.com.
netflix.com. 59 IN MX 5 alt1.aspmx.l.google.com.
netflix.com. 59 IN MX 5 alt2.aspmx.l.google.com.
netflix.com. 299 IN TXT "facebook-domain-verification=k65vedr09b2tp2q144ho1zewp3xsc6"
netflix.com. 299 IN TXT "v=spf1 include:_spf_ipv4.netflix.com include:_spf.google.com include:amazonses.com -all"
netflix.com. 59 IN AAAA 2406:da00:ff00::34ce:17ec
netflix.com. 59 IN AAAA 2406:da00:ff00::23a9:2d21
netflix.com. 59 IN AAAA 2406:da00:ff00::23a9:5340
netflix.com. 59 IN AAAA 2406:da00:ff00::3403:a912
netflix.com. 59 IN AAAA 2406:da00:ff00::34c9:c896
netflix.com. 59 IN AAAA 2406:da00:ff00::3403:2021
netflix.com. 59 IN AAAA 2406:da00:ff00::34ce:7a8a
netflix.com. 59 IN AAAA 2406:da00:ff00::36a4:fed8
netflix.com. 299 IN CAA 0 iodef "mailto:security@netflix.com"
netflix.com. 299 IN CAA 0 issue "digicert.com"
netflix.com. 299 IN CAA 0 issue "symantec.com"
netflix.com. 299 IN CAA 0 issuewild "digicert.com"
netflix.com. 299 IN CAA 0 issuewild "symantec.com"
;AUTHORITY
;ADDITIONAL

NOTE:

Netflix, like many high volume websites, uses a CDN. The actual content may not come from any of the listed addresses. You would also need to dig every CDN they use and those might be scattered across subdomains like "cdn0.netflix.com". It looks like they might be using Amazon Web Services as their actual CDN.

USING THE BROWSER:

To answer your final thought about collecting this information by visiting, yes. You can see what your browser is doing by hitting F12. This works in Chrome and FireFox. Click on the Network tab to see all the traffic from the browser perspective.

NETSTAT:

You can also run netstat to see all established connections. Connect to netflix and run this:

netstat -banf

HackSlash

Posted 2018-03-01T23:37:24.117

Reputation: 3 174

Asked: 2018-03-01T23:37:24.117

Viewed: 1 653 times

Active: 2018-03-02T02:59:12.347