How to properly obtain the ip ranges of a domain?

2

1

In order to shape traffic cheaply, I would like to know the address range of a particular domain, say google.com.

  • First option is to do a reverse dns lookup for a range of ips that are close to the ones from dig google.com +short. The problems are obvious: it's easy to miss something. Moreover, isn't scanning like that a bit rude?

  • Second option is to monitor for DNS queries that come back from the name servers. The ips of the name servers are unlikely to change which is good. However, I have no idea how to teach my router (Mikrotik RB951G-2HnD) to extract ips from dns responses.

  • Finally, it turned out that in some cases (namely, google.com and vk.com) subnet ranges are stored in the TXT record type. A single query can be made to obtain those:

    dig txt google.com +short

    However, not everybody does that. And even if they did, I would have to manually reconfigure the router with an additional ip range if that ever changed.

Question: what is the preferred way of obtaining the ip ranges of a domain? How to keep that range up to date?

alisianoi

Posted 2014-03-16T10:24:52.237

Reputation: 213

It's not my cup of tea, but curious: doesn't dig google.com +short give you exactly what you need, without any further processing? (Or, was my earlier comment about the title of this question wrong, and do you also want to know about, eg., maps.google.com which in this case is the same list but could be different, or gmail.com, ajax.googleapis.com, www.google-analytics.com and so on? And all might be in very different data centers, so might have different cheaper routing as well.) – Arjan – 2014-03-16T12:40:09.353

Are you sure dig txt google.com +short gives you what you want? Not every Google server is sending email, and it seems to me you're looking at IP ranges for SPF records there.

– Arjan – 2014-03-16T12:40:52.937

dig google.com +short is definitely just a subset of the ip range. You can make sure it's true: run it, find an ip that is close to the ones you see and run a reverse DNS lookup: dig -x close_ip_here. Good chance it will still be from the same domain. On the other hand, the txt record has indeed all sorts of things in it and you are right to point out that it's usually for SPF. But it is currently the way I get the ip range and it works. Finally, networking is not my cup of tea either, hence a question here @Arjan – alisianoi – 2014-03-16T15:35:07.127

1Domains don't necessarily have "ranges" of IP addresses. It's perfectly possible for a domain to use six different IP addresses that are widely separated. For example, one major UK website uses 146.101.19.102 and 213.161.77.102. – Mike Scott – 2014-04-11T05:29:52.613

Answers

3

You could try using whois on one of the returned IP addresses, at least for »big players« like Google, who have their own server farms and thus their own address ranges registered (not using some third party's space).

$ dig google.com +short
173.194.113.131
173.194.113.137
173.194.113.136
[…]
$ whois 173.194.113.131


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=173.194.113.131?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       173.194.0.0 - 173.194.255.255
CIDR:           173.194.0.0/16
OriginAS:       AS15169
NetName:        GOOGLE
NetHandle:      NET-173-194-0-0-1
Parent:         NET-173-0-0-0-0
NetType:        Direct Allocation
RegDate:        2009-08-17
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-173-194-0-0-1


OrgName:        Google Inc.
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2013-08-07
Ref:            http://whois.arin.net/rest/org/GOGL

OrgAbuseHandle: ZG39-ARIN
OrgAbuseName:   Google Inc
OrgAbusePhone:  +1-650-253-0000 
OrgAbuseEmail:  arin-contact@google.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ZG39-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000 
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    http://whois.arin.net/rest/poc/ZG39-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
$

Thus the range you want to know would be 173.194.0.0/16.

Andreas Wiese

Posted 2014-03-16T10:24:52.237

Reputation: 1 911

Asked: 2014-03-16T10:24:52.237

Viewed: 4 594 times

Active: 2014-04-11T05:24:40.940