Tuesday, April 2, 2013

From Whence?

Ever wonder where a website's hosted?  Or who's that strange IP in your logs came from?  DNS can be more helpful than you think, if it was configured right.  So, let's have some fun, shall we?

Who's there?

In lieu of know how a site is configured, or finding a reputable site with enough foresight to configure their site in a fashion to be interesting to look at.  So who might we inspect?  How about one of the popular open-source relational database systems, Postgresql?

Staring with the basics, let's do a quick A record lookup and check the name servers for the zone:

C:\>nslookup www.postgresql.org
Server:  google-public-dns-b.google.com

Non-authoritative answer:
Addresses:  2001:4800:7903:4::126


Ooooh, not only do we have six endpoints, it's a CNAME record with IPV6 addresses.  It's left as an exercise to the reader to play with IPv6 and discuss the merits of CNAMES, so let's look at name servers.

C:\>nslookup -query=ns postgresql.org
Server:  google-public-dns-b.google.com

Non-authoritative answer:
postgresql.org  nameserver = ns4.postgresql.org
postgresql.org  nameserver = ns3.postgresql.org
postgresql.org  nameserver = ns2.postgresql.org
postgresql.org  nameserver = ns1.postgresql.org

Looks like these guys are smart enough to host and manage their own name servers.  Not something I'd personally want to spend my time on (thanks to Dyn and now Route 53).

Where are they coming from?

So obviously they're behind three endpoints, so a quick WHOIS lookup should give us an idea of where they're at, right? :  RIPE Network Coordination Centre : RIPE Network Coordination Centre : Rackspace Hosting RSCP-NET-4

We all know who Rackspace is and that's about all I can get there short of inside knowledge of Rackspace's netblock allocation, but who on earth is RIPE Network?  And why is this interesting?  So how can I know where those two IPs are hosted?  tracert is always a nice idea, but sometimes it yields the same results.

Six hops out of the interesting bits of my own network and we find:

  7    13 ms    13 ms    12 ms
  8   193 ms   191 ms   193 ms
  9   202 ms   201 ms   208 ms  asr01-0-0-0.dc1.conova.com []
 10   204 ms   198 ms   200 ms
 11   198 ms   197 ms   197 ms
 12   195 ms   198 ms   204 ms  zalkon.postgresql.org []

And also:

 11    80 ms    81 ms    88 ms  xe-4-3-0-0.nyk2nqp1.us.ip.tdc.net
 12   187 ms   188 ms   186 ms  static-
 13   191 ms   184 ms   192 ms  ge-1-0-0.cr2-ksd1.n.bitbit.net []
 14   187 ms   185 ms   192 ms  vlan-1.cs1-ksd1.n.bitbit.net []
 15   191 ms   186 ms   197 ms  bond0.fw2-ksd1.n.bitbit.net []
 16   189 ms   185 ms   187 ms  zetar.postgresql.org []

Certainly interesting and partially information.  I'm guessing bitbit.net might be one hosting provider or ISP.

How do we find out more?

Let's have even more fun, courtesy of DNS.  Reverse lookups were popularized a few weeks back by the tracert replay of the intro to Star Wars: A New Hope, but let's use this fact to our advantage.

Since we know that a reverse DNS lookup will give us the name of an IP and given that in most cases ISPs or service providers allocate chunks of RIR networks in contiguous blocks, let's try looking up a CIDR block of the respective ARPA addresses of those IPs:

C:\>nslookup -query=ptr 149.196.217.in-addr.arpa
Server:  google-public-dns-b.google.com

        primary name server = adns001.dc1.conova.com
        responsible mail addr = domainadmin.conova.com
        serial  = 2012092001
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 1814400 (21 days)
        default TTL = 86400 (1 day)

And then:

C:\>nslookup -query=ptr 57.238.87.in-addr.arpa
Server:  google-public-dns-b.google.com

        primary name server = ns-foo.linpro.net
        responsible mail addr = hostmaster.linpro.no
        serial  = 2013032700
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 2419200 (28 days)
        default TTL = 86400 (1 day)

And that's a wrap.  There's a good chance that the other two IPs are hosted by Conova and LinPro, who's TXT record has this little nugget:

C:\>nslookup -query=txt linpro.no
Server:  google-public-dns-b.google.com

Non-authoritative answer:
linpro.no       text =

linpro.no       text =


No comments:

Post a Comment