Retrieve a domain name based on an IP Address?

Question

I'm reviewing some apache logs, specifically with respect to downloaded files. I'm interested in knowing, if possible, which domain is responsible for the download, given an IP address.

I've given nslookup a try and it seems to (mostly) get the job done but it returns all sorts of extraneous information. Ideally, I pass in an IP and receive a domain back.

Before I write a shell script to parse the output of nslookup to capture the domain, I'd like to know if this is the best way of approaching this problem, or if there is a more tried-and-true method of doing this.

Specifically, I'd like to know if an address resolves to an amazonaws.com domain. I understand that this might be difficult because EC2 machines are dynamically created and destroyed - I'd like to know if the IP addresses for AWS/EC2/EMR machines fit any sort of addressing pattern.

score 2 · Answer 1 · answered Dec 29 '10 at 12:26

2

$ host 173.242.113.231

This will only work if there is a PTR record for that domain though.

answered Dec 29 '10 at 12:26

atx

1,281
1
9
26

In that case, to only retrieve the domain, would it be as simple as "host x.x.y.y | awk '{print $5}'" ? Are there any exceptions or other cases? – Neil Kodner Dec 29 '10 at 12:43
Yep, that's right. Trim the trailing '.' though. – atx Dec 29 '10 at 12:59
1

or dig -x x.y.z.a and you'll get the reverse dns lookup for it. Not infallible, relies on the PTR existing. – Tom O'Connor Dec 29 '10 at 13:01
You can also whois and IP address, and get some info on who owns it, what the AS is, etc. Quite interesting. TeamCymru (http://www.team-cymru.org/Services/ip-to-asn.html) have a nice tool for doing this a bit more programatically. – Tom O'Connor Dec 29 '10 at 13:01
Tom O'Connor has a much better way than using `host'. – atx Dec 29 '10 at 13:04

score 1 · Accepted Answer · answered Dec 29 '10 at 18:48

1

Here are the IP ranges owned by Amazon for EC2.

https://forums.aws.amazon.com/ann.jspa?annID=857

answered Dec 29 '10 at 18:48

Flashman

1,321
10
9

This is exactly what I'm looking for. How good is Amazon at keeping this information up-to-date? – Neil Kodner Dec 31 '10 at 12:18
It is from a sticky in their forums. The 50.16/16 block is fairly new, so I am guessing at least weekly – Flashman Jan 04 '11 at 18:12

score 1 · Answer 3 · answered Dec 29 '10 at 19:10

Not all IPs will have PTR records. If you're looking for what "entity" owns the IP you may also want to check Whois. You're not going to reach 100% on this because of NAT, Virtualization, Hosting, ISPs etc... I may access your site from example.com, but the IP used will just resolve to host.genericISP.com

Retrieve a domain name based on an IP Address?

3 Answers3