When investigating spam networks or analyzing web infrastructure, you might encounter situations where multiple domains point to the same IP address. This technique is often used by malicious actors to create redundancy or evade blacklists. As developers, we need reliable methods to discover these relationships.
Here are the most effective approaches:
# Python example using socket for reverse DNS
import socket
def get_domains_from_ip(ip_address):
try:
hostname, aliaslist, ipaddrlist = socket.gethostbyaddr(ip_address)
return [hostname] + aliaslist
except socket.herror:
return []
Command-line tools can provide quick insights:
# Using dig for reverse DNS lookup
dig -x 192.0.2.1 +short
# Using host command
host 192.0.2.1
For more comprehensive results, consider these API-based solutions:
# Example using VirusTotal API (Python)
import requests
def vt_reverse_lookup(ip, api_key):
url = f"https://www.virustotal.com/api/v3/ip_addresses/{ip}/resolutions"
headers = {"x-apikey": api_key}
response = requests.get(url, headers=headers)
return [item['attributes']['host_name'] for item in response.json()['data']]
For historical data and more extensive results:
- Robtex API (https://www.robtex.com/api/)
- SecurityTrails API
- PassiveTotal (RiskIQ)
- Censys.io search engine
Remember that:
- Results may be incomplete due to DNS caching
- Shared hosting environments will show many unrelated domains
- Some services intentionally block reverse lookups
- Rate limits apply to most APIs
For persistent monitoring, you might want to create a scheduled scanner:
# Python scheduled domain tracker
import time
from datetime import datetime
import dns.resolver
def track_domains(ip, interval=3600):
known_domains = set()
while True:
try:
answers = dns.resolver.resolve_address(ip)
current = {str(r.target) for r in answers}
new_domains = current - known_domains
if new_domains:
print(f"{datetime.now()}: New domains found - {', '.join(new_domains)}")
known_domains.update(new_domains)
except Exception as e:
print(f"Error: {str(e)}")
time.sleep(interval)
When dealing with spam or suspicious activity, you might encounter multiple domains pointing to the same IP address. This technique is often used by malicious actors to evade detection. As developers, we need efficient ways to identify all domains associated with a particular IP.
The dig command is a powerful DNS lookup utility available on Unix-like systems. Here's how to perform a reverse DNS lookup:
dig -x 192.0.2.1 +short
This will return the PTR record for the IP address, which typically shows the primary domain associated with that IP.
For a more comprehensive search, you can use online DNS databases that track domain-IP relationships:
# Example using curl to query ViewDNS.info API
curl "https://api.viewdns.info/reverseip/?host=192.0.2.1&apikey=YOUR_API_KEY&output=json"
Passive DNS services maintain historical DNS data, which can reveal domains that previously resolved to an IP:
- SecurityTrails
- VirusTotal
- RiskIQ
- Farsight DNSDB
Here's a Python script using the socket module for reverse DNS lookups:
import socket
from concurrent.futures import ThreadPoolExecutor
def reverse_dns(ip):
try:
hostname, _, _ = socket.gethostbyaddr(ip)
return hostname
except socket.herror:
return None
ip_address = "192.0.2.1"
with ThreadPoolExecutor(max_workers=10) as executor:
results = list(executor.map(reverse_dns, [ip_address]*10))
print(f"Domains for {ip_address}: {[r for r in results if r]}")
Shodan's API provides extensive information about IP addresses, including associated domains:
import shodan
api = shodan.Shodan('YOUR_API_KEY')
try:
results = api.host('192.0.2.1')
print("Domains:", results['domains'])
except shodan.APIError as e:
print(f"Error: {e}")
Keep in mind that:
- Many domains can share an IP through virtual hosting
- Cloud providers often have thousands of domains on single IPs
- Results may vary depending on DNS propagation
- Some services rate-limit free API access
For quick checks from the command line:
#!/bin/bash
IP="192.0.2.1"
echo "Checking domains for $IP"
host $IP | grep "domain name pointer" | awk '{print $5}'