I'm helping my uncle who has a website that he doesn't remember anything about, whatsoever. He has had it for years and he's very unstructured. I tried getting him to find a bill from the hosting-company, where he has his website - but he says he's paying to so many things that he doens't know what is, so that wasn't an option.
I tried running a whois on his domain, but it's pointing to a free online DNS-redelegation tool ( www.gratisDNS.dk - the nameservers are called ns1.gratisdns.dk, ns2.gratisdns.dk, ...). I know that many companies use this tool to redirect the traffic to their own hosting-solution (since gratisdns means 'free dns').
So the question is, if I can find the hosting company some other way, by having the domain name and the name-servers? I would assume that the answer is 'no' (just FYI).
The WHOIS protocol works for IP addresses, as well as domain names. If you find the IP address the site is hosted on and look it up, it should return information about the owner of the IP address and therefore who hosts the website.
For example, for stackoverflow.com:
$ ping stackoverflow.com
PING stackoverflow.com (104.16.33.249) 56(84) bytes of data.
...
$ whois 104.16.33.249
...
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: CloudFlare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2015-10-01
Comment: https://www.cloudflare.com
Ref: http://whois.arin.net/rest/net/NET-104-16-0-0-1
...
find hostnames associated with IP's. Do whois look up.
WHois tool is the best tool to find the details of a host. All you have to do is visit whois and enter domain name in the search box and hit the search button. All the information will be displayed on your screen along with hosting company and domain name registrar.
Related
For eg. we wanted to search google.com (let us think that its an alias name), then we will lookup in DNS and get its canonical name which further helps to get the IP address. Why cant we just get IP address from alias name as it would also be unique.
It is not always guaranteed that alias name resolves to same IP address. And, there is a very good reason for it. Lets say person A is browsing google.com from country A. Google has it servers all over the world (for efficiency purposes). It is beneficial if person A requests are directed towards google servers in country A than towards some other distant location. Here where CNAME records comes into the picture. CNAME records are configured in such a way that google.com resolves to servers which are specific to country A. And another case where you get different IP for same alias name is when you fetch MX records (mail server records), for the same domain you can have different servers managing mails and web traffic.
The design of URL is for convenience. The convenience is that when we want to change the server IP, we don't need to tell all the users the new ip of the website. In other words, what we have done in server will make no change to users. That is the core thought in server design.
I need to use fail2ban due to many attack attempts on my server, I also have filters that I had to activate/create to block attack attempts.
But now I'm pretty sure that some google ip ends up in the jail of my fail2ban...
I added some ip in the ignoreip directive in the jail.local file, but they are only the ones that I managed to identify as real google ip in my access.log (I also have many fake google)
It would be nice to be able to give a list of ip to ignore to fail2ban, but google does not release its ip list, google says: https://support.google.com/webmasters/answer/80553?hl=en
So the question is: is it possible to do a reverse dns to understand if an ip belongs to google and tell fail2ban to ignore it?
Can it be done via fail2ban? Do you need any external script? Could it be too heavy, long and tiring for the server?
yes, you can identify google bots using reverse IP lookup.
all crawler bots will end with xxxxxx.google.com or xxxxxxx.googlebot.com
for e.g. crawl-203-208-60-1.googlebot.com
but it is not possible to identify in fail2ban, but you can whitelist the IP address once you know if its a Googlebot.
there are many ways to perform for reverse IP look.
you can use Python, Ruby or bash to find out. check the following article.
http://searchsignals.com/tutorials/reverse-dns-lookup/
there are websites that can find you reverse IP lookup.
https://dnschecker.org/reverse-dns.php
http://reverseip.domaintools.com/
if you can code in python, you easily dump reverse IP data in a file from a list of IP addresses.
Google does have a page about verifying GoogleBot addresses by doing a reverse-lookup on the IP address and verifying that it comes from a specific hostname (you'd then get the IP of that host, to double-check it comes back to the appropriate source IP).
There are also DNS TXT records that specify IP ranges for SPF (emails), Google Compute Cloud, and the wider Google IP addresses that can be used (many of which would be in use by GCP user's VMs and other services).
dig #8.8.8.8 +short TXT _spf.google.com
dig #8.8.8.8 +short TXT _cloud-netblocks.google.com
dig #8.8.8.8 +short TXT _cloud-netblocks.googleusercontent.com
The first query will return something like this:
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
And you would then parse it to get the IP address ranges, or do a sub-query on the include:_netblocks.google.com etc to get other sets.
The information these records are not fixed, and can regularly change. (AWS publishes a .JSON file with several updates per week, for example).
I'm working on a system to automatically detect 'lying user-agents', with these, and some other techniques.
My website suddenly stopped working.
When I search for the domain name in WHOIS websites it is showing the correct server ip address and correct DNS IP address.
I can reach the website by its IP address but somehow when I am trying the domain name in browser its not working and its showing "This site can’t be reached"!
There is no error in my server log.
I tried different browsers and different systems and it is same issue.
I am really confused. Even when I am sending GET requests with Postman to my domain, it not reachable but sending request to IP is working!
whois and DNS resolution are two separate things and one does not imply anything for the other, so in short, except in very specific cases, if you have a DNS resolution problem you should use DNS troubleshooting tools, not the whois and especially not web-based whois (the only relevant whois is the registry one).
Now you are giving so few details that noone can really help.
Among the possible ideas to check and probable problems:
you forgot to renew the domain, your registrar put it on hold or worse deleted it (that you can see in whois)
you did a change in the DNS resolution and now it does not work anymore, use online troubleshooting tools like Zonemaster or DNSViz; alternatively your registrar and/or webhosting company should be able to help (since you are neither giving here the domain name nor details about the troubleshooting you do: for DNS problems, the browser is not the first tool to use, look instead at dig).
in appear that the problem was DNS on our local system. we changed it to 8.8.8.8 and then we could access to our domain!
it's usually because you use an addon domain, not the main domain for hosting orders that are set up on cpanel whm
I recently started using linode to host my site.
Prior to using linode, I normally used hosting offered by my domain registrar. In those cases, i thought I understood how DNS worked, because the registrar automatically updated your DNS records to point to the server hosing the site.
When following linodes guide, to setting up a website: https://www.linode.com/docs/websites/hosting-a-website
Their instructions tell you to set the DNS servers as:
ns1.linode.com
ns2.linode.com
ns3.linode.com
...
But the point I am making is, that ANYONE can open an account on linode, and fill in the same DNS settings! So now anyone trying to access your website, could be directed to someone else who wants to pretend to be your site!
Am I correct in understanding how DNS works ? I know that the only way to ensure (from a visitors perspective) that a site being visited is actually the domain intended is to install a certificate (https) etc. But based on the above instructions, it seems almost trivial to pretend to be someone else, if they also use linode.
I am not an expert on DNS so my answer may be mistaken, but I had the same question so looked into this.
I think your understanding is correct, and this seems to be a problem but apparently it happens rarely in practice so hosting providers (including Linode) aren't doing anything about it.
Here is Ryan Quinn from DigitalOcean (another hosting company that has this problem) answering a similar question:
A domain can only exist on one account so any user attempting to add it would not be able to. Cases where a domain already exists or is hijacked are extremely rare (I've seen 3 cases in 2+ years and in each case it was a former owner of the domain who still had records in place). In these rare cases the user can open a support ticket where we will verify the domain whois information against their billing details to verify ownership.
Here is a question on Information Security Stack Exchange that asks the same thing.
In the case of DigitalOcean, I found a post (HackerNews discussion) of someone describing how they took over around 20,000 inactive domain names that pointed to DigitalOcean's nameservers. I haven't found anything similar for Linode, although I imagine basically the same attack is possible (2020 Update: This actually recently happened to someone I know, where their website got taken over by a spammer after they took down their Linode without changing the DNS settings to stop pointing to Linode).
Amazon Route 53 seems to use randomly generated nameservers (rather than Linode/DigitalOcean's constant ns1.linode.com etc.) to make this attack highly unlikely to succeed.
Apparently some other services (Google Apps?) "verify domain ownership by requiring the domain owner to add a TXT record to their domain with a special code."
So what? Someone may use the same DNS servers. But they can't register for the same domain. Once you have registered for example.org, you own that domain and nobody else will be able to register for it.
You have registered for example.org and use the following DNS configuration at Linode:
Domain | Nameserver
-------------------+---------------------
example.org | ns1.linode.com
example.org | ns2.linode.com
... | ...
An "evil hacker" may have registered evil-hacker.com and uses this configuration:
Domain | Nameserver
-------------------+----------------------
evil-hacker.com | ns1.linode.com
evil-hacker.com | ns2.linode.com
... | ...
example.org | ns1.linode.com << Those are the lines that bug you, right?
example.org | ns2.linode.com
For simplicity's sake let's say that the IP of your site is 1.1.1.1 and the IP of the evil hacker's site is 2.2.2.2. You are worried that because the "hacker" used the same DNS configuration, your site example.org might resolve to 2.2.2.2, right?
This is what happens, when I try to resolve example.org:
I connect to the DNS root servers to find out which nameserver is responsible for the org top-level domain.
I connect to the nameserver of the org top-level domain and ask it for the IP address of example.org. The org nameserver is managed by your domain registrar. It will look up the information you entered and tells me look at one of the linode nameservers.
I connect to ns1.linode.com and ask it for the IP address of example.org. Linode knows which IP your site has and answers me with 1.1.1.1.
In the above process, I will never see evil-hacker.com or 2.2.2.2. Since our evil hacker (hopefully) can't control the DNS root servers, the nameserver of the org top-level domain or the Linode nameservers, all DNS requests for your site will be answered by "trusted" name servers.
However, a hacker might intercept DNS traffic from my particular machine. He might install malware that always resolves example.org to his IP address 2.2.2.2 (e.g. /etc/hosts) or compromise my network router. So using an SSL certificate for your site is still a good idea :).
My site still gets requests from one IP address - 195.210.29.12.
When I tried nslookup for that it shown me
Name: data12.websupport.sk
Address: 195.210.29.12
That is the hostname of one hosting provider. When I tried to realize which domain it is by using http://www.yougetsignal.com/tools/web-sites-on-web-server/ it gave ma about 500 results.
My question is - is it possible to realize which domain it was?
Thanks.
Every Provider has an abuse Mailbox. If anyone tries to hack you page or sth like that, you can write a mail to the Provider. In this case following mail to:
abuse-mailbox: abuse#websupport.sk