How do I find all known IPs for a given domain in Linux?

I am a developer on a project that uses amazon servers for testing. I am switching from using FoxyProxy to routing with iptables because it is more convenient.

The trouble I ran into is that when running DNS resolution I find that more than one address is returned with multiple calls to resolve a given domain.

For instance:

$ host sample.domain.com
sample.domain.com has address 50.200.80.100
$ host sample.domain.com
sample.domain.com has address 50.200.80.101

This is a stark contrast to google which:

$ host www.google.com
www.google.com has address 74.125.225.81
www.google.com has address 74.125.225.80
www.google.com has address 74.125.225.84
www.google.com has address 74.125.225.82
www.google.com has address 74.125.225.83
www.google.com has IPv6 address 2607:f8b0:4009:803::1012

Currently I am resolving the host many times to build a list of IPs and use that to set the iptable routes. Is there a better way to do this?

Note: I don't have access to change anything about the server so any suggested solution will have to be client side.

Tiris

Posted 2014-12-02T14:33:28.387

Reputation: 21

Can you give a real domain name that causes the issue? – Werner Henze – 2014-12-04T15:38:44.977

Unfortunately, I am not permitted to provide that information. – Tiris – 2014-12-05T14:54:22.917

My test here with www.zdf.de showed that nslookup and host both return two IP addresses in one call. If I call the lookups again, I get the same result. So if you don't want to provide any DNS name (no need to provide the critical ones) that shows the result you describe I cannot reproduce that here and help you. – Werner Henze – 2014-12-05T14:59:29.677

Answers

Most of the high traffic websites have multiple front-end servers serving the traffic. Mostly each of these IP addresses would be a load balancer, behind which there would be even more number of servers.

If you are interested on getting the "A" record for a domain you can use dig, nslookup or host command. If you are using Linux then dig command would be the preferred way of getting it.

$ dig A google.com +short @8.8.8.8
74.125.236.167
74.125.236.160
74.125.236.169
74.125.236.168
74.125.236.161
74.125.236.162
74.125.236.164
74.125.236.163
74.125.236.165
74.125.236.174
74.125.236.166

The above command gathers all "A" record (Address) of the domain google.com. Each time you query it you will get the same set of IP addresses but in a different order.

I am not sure what kind of iptables rule you are going to use, but mostly the "A" record will belong to the same network like 74.125.236.0/24 based on my dig output.

Kannan Mohan

Posted 2014-12-02T14:33:28.387

Reputation: 398

When I run this command I only get one address: 216.58.216.192 – Tiris – 2014-12-05T14:40:34.103

Although it looks like this might be because of my company's DNS server. When I run on a personal computer it works as expected. – Tiris – 2014-12-05T14:50:09.350

Sadly, there is no easy way to do this.

If you were able to do a zone transfer of the google.com zone, you could then parse all A and AAA records. However, google does not permit public zone transfers and even if they did, their dns data likely changes frequently.

Google publishes their current network ranges in a dns TXT record. https://support.google.com/a/answer/60764?hl=en

$ nslookup -q=TXT _netblocks.google.com 8.8.8.8
$ nslookup -q=TXT _netblocks2.google.com 8.8.8.8

You can also use ARIN's WhoIS to search for an IP address or company. http://whois.arin.net/rest/net/NET-74-125-0-0-1/pft

Keep in mind that Network blocks may be registered to ISPs and subsets may be given to a specific organization.

pyther

Posted 2014-12-02T14:33:28.387

Reputation: 174