How can this tool find out registered domains from an IP address?DYNDNS.org Custom DNS returning odd results with Windows' NSLOOKUPDNS Issue when trying to promote a server to a DCLaptops on Windows Domain sometimes have problems accessing internet when off-siteslow DNS resolutionNetwork DNS Issues Complicated by Amazon EC2 DNS CNAMEdedicated rpd server unable to resolve domain namesHow can nslookup on an IP address return NXDOMAIN but I can still ping it?Moving DNS to a new provider; their servers don't respond but they say it's OK?

Are the Shimano derailleurs sold on Ali Express genuine or fake?

Why are my plastic credit card and activation code sent separately?

Replacing triangulated categories with something better

How does a manufacturer determine the warranty for the battery?

Uncountably many functions coinciding only finitely many values

Is Dom based XSS still a valid security concern in modern browsers?

Are there any spells that aren't on any class's spell list?

What are the targeting range limitations of Glyph of Warding?

Yarok and Animate Dead

What are some examples of three-mora atamadaka verbs besides 帰る?

Leaving car in Lubbock, Texas for 1 month

Non-differentiable Lipschitz functions

18-month-old kicked out of church nursery

How can I determine if two vertices on a polygon are consecutive?

What's the meaning of "uao"?

Radar Altimeter in Space Shuttle

What is the autocorrelation of a Dirac pulse?

Right way to say I disagree with the design but ok I will do

Impeachment jury tampering

Computationally expensive AI techniques (that are promising)

Dungeon of the Mad Mage room ceiling height?

How do I build a kernel using patches from LKML?

Migrate foreign key type from char to binary - ways to deal with the fallout?

Run "cd" command as superuser in Linux



How can this tool find out registered domains from an IP address?


DYNDNS.org Custom DNS returning odd results with Windows' NSLOOKUPDNS Issue when trying to promote a server to a DCLaptops on Windows Domain sometimes have problems accessing internet when off-siteslow DNS resolutionNetwork DNS Issues Complicated by Amazon EC2 DNS CNAMEdedicated rpd server unable to resolve domain namesHow can nslookup on an IP address return NXDOMAIN but I can still ping it?Moving DNS to a new provider; their servers don't respond but they say it's OK?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









22

















This is one that I've never really known how to do, and it's been nagging me from time to time for years. I've read all I could find, including all the answers here. None of them gives a real answer to the question. So please read carefully before flagging a duplicate; it is not.



dig, host, nslookup... none of them seems to be able to get what I'm after.



At most I can get pointers like ec2-xxx-xxx-xxx-xxx.us-east-2.compute.amazonaws.com.



But if I use this online tool, I get exactly what I'm looking for: every domain that resolves to the IP address given (or a hostname). In this case, it's a freemium service, so it'll only list the first few, but it works. In the following image, I use three domains that I own and serve from a VPS. They are totally unrelated, but they all appear here:



Enter image description here



What black magic are they using? How can we replicate it?






domain-name-system hostname reverse-dns







share|improve this question




























  • Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

    – Criggie
    Jun 5 at 1:07











  • @Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

    – grawity
    Jun 5 at 9:02


















22

















This is one that I've never really known how to do, and it's been nagging me from time to time for years. I've read all I could find, including all the answers here. None of them gives a real answer to the question. So please read carefully before flagging a duplicate; it is not.



dig, host, nslookup... none of them seems to be able to get what I'm after.



At most I can get pointers like ec2-xxx-xxx-xxx-xxx.us-east-2.compute.amazonaws.com.



But if I use this online tool, I get exactly what I'm looking for: every domain that resolves to the IP address given (or a hostname). In this case, it's a freemium service, so it'll only list the first few, but it works. In the following image, I use three domains that I own and serve from a VPS. They are totally unrelated, but they all appear here:



Enter image description here



What black magic are they using? How can we replicate it?






domain-name-system hostname reverse-dns







share|improve this question




























  • Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

    – Criggie
    Jun 5 at 1:07











  • @Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

    – grawity
    Jun 5 at 9:02














22












22








22


3






This is one that I've never really known how to do, and it's been nagging me from time to time for years. I've read all I could find, including all the answers here. None of them gives a real answer to the question. So please read carefully before flagging a duplicate; it is not.



dig, host, nslookup... none of them seems to be able to get what I'm after.



At most I can get pointers like ec2-xxx-xxx-xxx-xxx.us-east-2.compute.amazonaws.com.



But if I use this online tool, I get exactly what I'm looking for: every domain that resolves to the IP address given (or a hostname). In this case, it's a freemium service, so it'll only list the first few, but it works. In the following image, I use three domains that I own and serve from a VPS. They are totally unrelated, but they all appear here:



Enter image description here



What black magic are they using? How can we replicate it?






domain-name-system hostname reverse-dns







share|improve this question

















This is one that I've never really known how to do, and it's been nagging me from time to time for years. I've read all I could find, including all the answers here. None of them gives a real answer to the question. So please read carefully before flagging a duplicate; it is not.



dig, host, nslookup... none of them seems to be able to get what I'm after.



At most I can get pointers like ec2-xxx-xxx-xxx-xxx.us-east-2.compute.amazonaws.com.



But if I use this online tool, I get exactly what I'm looking for: every domain that resolves to the IP address given (or a hostname). In this case, it's a freemium service, so it'll only list the first few, but it works. In the following image, I use three domains that I own and serve from a VPS. They are totally unrelated, but they all appear here:



Enter image description here



What black magic are they using? How can we replicate it?






domain-name-system hostname reverse-dns




domain-name-system hostname reverse-dns






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jun 6 at 8:36









Peter Mortensen

2,1764 gold badges22 silver badges24 bronze badges




2,1764 gold badges22 silver badges24 bronze badges










asked Jun 4 at 15:17









Carles AlcoleaCarles Alcolea

2132 silver badges8 bronze badges




2132 silver badges8 bronze badges















  • Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

    – Criggie
    Jun 5 at 1:07











  • @Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

    – grawity
    Jun 5 at 9:02


















  • Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

    – Criggie
    Jun 5 at 1:07











  • @Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

    – grawity
    Jun 5 at 9:02

















Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

– Criggie
Jun 5 at 1:07





Noted it doesn't work at all on IPv6 - too much data to index. And it also misses things that don't start in www.

– Criggie
Jun 5 at 1:07













@Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

– grawity
Jun 5 at 9:02






@Criggie: That's probably not the reason. If they are not using rDNS, but just bruteforcing regular domain→IP records as Michael said, then the number of "possible" addresses cannot actually affect the process in any way. (After all, why would they index and store addresses which have no domains?) More likely they just didn't bother.

– grawity
Jun 5 at 9:02











1 Answer
1






active

oldest

votes


















47


















It's brute force.



They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.






share|improve this answer





















  • 3





    The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

    – Qwertie
    Jun 5 at 4:38







  • 12





    @Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

    – Ulrich Schwarz
    Jun 5 at 6:18






  • 3





    @Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

    – Richy B.
    Jun 5 at 9:43






  • 1





    @Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

    – Giacomo Alzetta
    Jun 5 at 12:03






  • 5





    @GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

    – Patrick Mevzek
    Jun 5 at 15:33












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970089%2fhow-can-this-tool-find-out-registered-domains-from-an-ip-address%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









47


















It's brute force.



They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.






share|improve this answer





















  • 3





    The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

    – Qwertie
    Jun 5 at 4:38







  • 12





    @Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

    – Ulrich Schwarz
    Jun 5 at 6:18






  • 3





    @Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

    – Richy B.
    Jun 5 at 9:43






  • 1





    @Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

    – Giacomo Alzetta
    Jun 5 at 12:03






  • 5





    @GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

    – Patrick Mevzek
    Jun 5 at 15:33















47


















It's brute force.



They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.






share|improve this answer





















  • 3





    The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

    – Qwertie
    Jun 5 at 4:38







  • 12





    @Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

    – Ulrich Schwarz
    Jun 5 at 6:18






  • 3





    @Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

    – Richy B.
    Jun 5 at 9:43






  • 1





    @Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

    – Giacomo Alzetta
    Jun 5 at 12:03






  • 5





    @GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

    – Patrick Mevzek
    Jun 5 at 15:33













47














47










47









It's brute force.



They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.






share|improve this answer














It's brute force.



They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.







share|improve this answer













share|improve this answer




share|improve this answer










answered Jun 4 at 15:29









Michael HamptonMichael Hampton

187k29 gold badges353 silver badges687 bronze badges




187k29 gold badges353 silver badges687 bronze badges










  • 3





    The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

    – Qwertie
    Jun 5 at 4:38







  • 12





    @Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

    – Ulrich Schwarz
    Jun 5 at 6:18






  • 3





    @Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

    – Richy B.
    Jun 5 at 9:43






  • 1





    @Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

    – Giacomo Alzetta
    Jun 5 at 12:03






  • 5





    @GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

    – Patrick Mevzek
    Jun 5 at 15:33












  • 3





    The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

    – Qwertie
    Jun 5 at 4:38







  • 12





    @Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

    – Ulrich Schwarz
    Jun 5 at 6:18






  • 3





    @Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

    – Richy B.
    Jun 5 at 9:43






  • 1





    @Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

    – Giacomo Alzetta
    Jun 5 at 12:03






  • 5





    @GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

    – Patrick Mevzek
    Jun 5 at 15:33







3




3





The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

– Qwertie
Jun 5 at 4:38






The only part that is unclear to me is how they find a list of every domain name as there isn't a central list anywhere. Edit: Looks like they don't have everything because my website that has been up for years is not listed

– Qwertie
Jun 5 at 4:38





12




12





@Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

– Ulrich Schwarz
Jun 5 at 6:18





@Qwertie: certificate transparency ledgers are a good place these days – practically everything that has a properly rooted TLS certificate will appear in there.

– Ulrich Schwarz
Jun 5 at 6:18




3




3





@Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

– Richy B.
Jun 5 at 9:43





@Qwertie : The Centralized Zone Data Service ( czds.icann.org/en ) could be a good starting point as well - it gives access to a large number of 'zone files' of the various top level domains.

– Richy B.
Jun 5 at 9:43




1




1





@Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

– Giacomo Alzetta
Jun 5 at 12:03





@Qwertie Registrars are exactly a centralized list of all domains... the only issue is that it's not just one of them and also not all of them give easily access to their zone files so access might not be completely free or immediate.

– Giacomo Alzetta
Jun 5 at 12:03




5




5





@GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

– Patrick Mevzek
Jun 5 at 15:33





@GiacomoAlzetta no, registrars at most have a list of domains they sponsor, not all domains in all TLDs. registries on the contrary obviously have a list of all the domains they maintain, which is available in gTLDs through open access to zonefiles like Richy B. said (but noting that not all registered domain is published so some will be missing). Some others TLDs, like .FR have "open data" initiative where you can get access to many things, including list of domains. Other registries publish daily "newly registered domain names list".

– Patrick Mevzek
Jun 5 at 15:33


















draft saved

draft discarded















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970089%2fhow-can-this-tool-find-out-registered-domains-from-an-ip-address%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









-

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Image
Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
Read more

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Image
Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
Read more

Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

Image
Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
Read more