1

I'm trying to run a who-is command on an arbitrary IP address for my internal use (no public access) as such:

function echo_whois($ip)
{
    $host = gethostbyaddr($ip);

    //How to get domain from host?
    //$domain = ?

    echo("<pre>");
    echo(shell_exec("whois ".$domain));
    echo("</pre>");
}

The issue is that I can't seem to find a way to get a domain name from the host name.

Here's an example, say for IP 114.237.31.186 that resolves to 186.31.237.114.broad.lyg.js.dynamic.163data.com.cn.

Is there a function in PHP that can do that?

c00000fd
  • 20,994
  • 29
  • 177
  • 400
  • Is the DNS-Entry (and therefore the reverse-DNS-entry) possibly kind of new? If so, the reverse-entry might be cached on some resolvers. For instance when I run `dig` in trace mode like this it works just fine: `dig -x 114.237.31.186 +trace` (and also calling `var_dump(gethostbyaddr('114.237.31.186'));` on my machine returns the DNS entry as expected) – ArSeN Mar 07 '20 at 20:56
  • You need reverse IP lookup, but don't forget that an unique IP may be pointed by several domains. http://reverseip.domaintools.com/ – José Carlos PHP Mar 07 '20 at 21:10
  • @JoséCarlosPHP: `"We did not find any results for your lookup"` if I run it for `114.237.31.186` – c00000fd Mar 07 '20 at 21:14
  • That IP seems to not be a server, and no domain is pointing to that IP. – José Carlos PHP Mar 07 '20 at 21:26
  • Make sure to contact the RIR whois not the domain names ones. – Patrick Mevzek Mar 08 '20 at 01:07
  • Do not shell out to execute a whois command. Use PHP libraries for that or at worst just open a TCP socket to port 43 yourself. – Patrick Mevzek Mar 08 '20 at 01:09

1 Answers1

0

The issue is that I can't seem to find a way to get a domain name from the host name.

Because there isn't or you are conflicting various things.

At the DNS level you may have a PTR record going from one IP address to a name. This is however not mandatory at all. See my full anwser for more details on this at https://superuser.com/a/1530362/693623

If we do it with your case, we do indeed have an answer, but that is not a generic rule:

$ dig -x 114.237.31.186

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> -x 114.237.31.186
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40422
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1480
;; QUESTION SECTION:
;186.31.237.114.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
186.31.237.114.in-addr.arpa. 86400 IN   PTR 186.31.237.114.broad.lyg.js.dynamic.163data.com.cn.

This is purely the DNS, there is nothing about whois there. And you have DNS libraries in PHP (or any other language) to do DNS queries on your behalf (do not shell out to run dig for the same reasons as the one detailed below for whois).

Now since you are speaking about whois, you may think about something else.

As IP addresses (and more precisely IP blocks) are registered with some central registries called RIRs, and since those have whois servers you can indeed query them for an IP address. The output however won't be a domain name, it will be details about the company owning that IP address.

Modern whois clients normally find correctly the RIR to contact to get data, in your case that will lead:

$ whois 114.237.31.186
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '114.224.0.0 - 114.239.255.255'

% Abuse contact for '114.224.0.0 - 114.239.255.255' is 'anti-spam@ns.chinanet.cn.net'

inetnum:        114.224.0.0 - 114.239.255.255
netname:        CHINANET-JS
descr:          Chinanet Jiangsu Province Network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
status:         ALLOCATED PORTABLE
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
last-modified:  2016-05-04T00:13:17Z
source:         APNIC

etc.

You can find obviously the same thing online using the RIR website.

As for whois two other related important things:

  • from a program, do not shell out to launch a whois command, this has only drawbacks. All programming languages have libraries doing whois queries, and you should use that. If not and at the very least since whois is a very simple command/reply protocol, you can do it yourself: just open a TCP socket on port 43, send your query (typically a domain name or an IP address) followed by \r\n and read the reply (the connection will be shutdown by remote party automatically at this point). Of course the difficulty here is finding out which server to contact and that depends on your query
  • especially for RIRs, there is now RDAP which is a far more superior protocol than whois and you should always try to use it; its ouput is JSON so easier to parse than raw unstructured whois output.
Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54