Finding ALL currently used IP addresses of Website

Patrick R asked:

What steps would you take to discover all (or close to all) IP addresses that are currently used by a website? How would you be as exhaustive as possible without calling a website admin and asking for the list of IP addresses? 😉

nslookup works but will vary based on dns server queried.

whois is another good tool.

Dig, not bad.

Let’s use Facebook for example. I’m blocking that site for the majority our our company’s users, but some are approved for “research”. I can not easily use OpenDNS because we all appear to come from the same request IP address. I could change that but don’t want to add more vlans than I already have.

I also could use block something like regex facebook1 "facebook.com" (I’m running a cisco firewall) but that’s pretty easy to sidestep.

All that being said, I’m asking about specifically about finding ip addresses for a domain and not for other methods that I can block a domain name.

My answer:


You can do it reliably, but the list of IP addresses can and will change over time, so you have to do it again from time to time.

For blocking companies with lots of IP addresses, you first need to find their autonomous system number. This is relatively easy; it’ll be in the whois record for any of their IP addresses.

These examples use GNU jwhois, which normally appears on Linux systems. You may have to massage the commands slightly for other whois clients.

$ host www.facebook.com
www.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 173.252.120.6
star.c10r.facebook.com has IPv6 address 2a03:2880:2130:cf05:face:b00c:0:1
star.c10r.facebook.com mail is handled by 10 msgin.t.facebook.com.

$ whois -h whois.radb.net 173.252.120.6 | grep origin
origin:     AS32934
origin:     AS38621

Make sure it actually belongs to Facebook. If you’re blocking a small website that doesn’t have their own AS, you don’t want to do this, as you’ll block other people as well. For instance, not all of the ASNs returned above are actually Facebook’s.

$ whois -h whois.radb.net AS32934
$ whois -h whois.radb.net AS38621

Now we know which is Facebook’s ASN; let’s get their IPv4 address ranges.

$ whois -h whois.radb.net -- -i origin -T route AS32934 | grep route: 

And finally their IPv6 address ranges.

$ whois -h whois.radb.net -- -i origin -T route6 AS32934 | grep route6:

Repeat for all their ASNs, if they actually have more than one.

This is just a demo to show how easily the information can be obtained. You can work these into a script at your convenience. Also note that some of the returned ranges may overlap; how you deal with this is between you and your firewall.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.