How to find a domain based on the IP address?

Question

We were contacted by our ISP saying that one of our servers was issuing an attack on another computer.

May 23 14:11:35 wdc lfd[14308]: *Port Scan* detected from ***.***.***.***
(US/United States/-). 11 hits in the last 245 seconds - *Blocked in csf* for
3600 secs [PS_LIMIT]

I don't know what it means, but our server is a factory image, with only a couple programs running.

I would like to know the domain, but don't know how to look it up.

score 32 · Accepted Answer · answered May 23 '11 at 19:23

Use nslookup

For example, let's find the domain for 207.46.19.254

C:\>nslookup -type=PTR 254.19.46.207.in-addr.arpa   
Non-authoritative answer:                                                   
254.19.46.207.in-addr.arpa      name = wwwbaytest2.microsoft.com

Note that you reverse the order of the four numbers and append .in-addr.arpa

Remember that an IP-address may have multiple domains, and that the administrators do not always (but mostly should) set up the reverse mappings in DNS.

score 16 · Answer 2 · answered May 23 '11 at 19:24

16

Two things you can do. One is reverse DNS lookup.

dig -x x.x.x.x

You can also use geoiplookup to find the general area of the source.

answered May 23 '11 at 19:24

Keith

8,293

score 4 · Answer 3 · answered May 23 '11 at 19:17

4

Wouldn't the ping -a command also work?

That is, ping -a insert IP address here. It's not always successful though, but it's likely the easiest method.

answered May 23 '11 at 19:17

xgqfrms · Answer 4 · 2017-02-10T19:32:43.033

Both of following commands is OK!

208.97.177.124 => apache2-argon.william-floyd.dreamhost.com

nslookup -type=PTR 208.97.177.124 in-addr.arpa

nslookup -type=PTR 208.97.177.124

nslookup 208.97.177.124

Howerver, This command is NOT right!

208.97.177.124 => CPE-124-177-97-208.lns6.cha.bigpond.net.au

nslookup -type=PTR 208.97.177.124.in-addr.arpa

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124.in-addr.arpa
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
208.97.177.124.in-addr.arpa     name = CPE-124-177-97-208.lns6.cha.bigpond.net.au

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
124.177.97.208.in-addr.arpa     name = apache2-argon.william-floyd.dreamhost.com

G:\JavaScript Testing>nslookup -type=PTR 208.97.177.124 in-addr.arpa
*** Can't find server address for 'in-addr.arpa':
Server:  phicomm.me
Address:  192.168.2.1

Non-authoritative answer:
124.177.97.208.in-addr.arpa     name = apache2-argon.william-floyd.dreamhost.com

G:\JavaScript Testing>

reference links:

https://ist.mit.edu/network/ip

score 2 · Answer 5 · answered May 23 '11 at 18:52

ARIN WHOIS is probably the default goto for resolving IPs to the registered names, although I use SANS often also. The search box on both sites is in the upper right corner.
This will only resolve domain names on the internet, not internal domain names you may be looking for.

score 0 · Answer 6 · answered Nov 04 '17 at 07:34

0

you can also use the host command (tested on Linux): host -a 1.2.3.4

answered Nov 04 '17 at 07:34

pd12

133

score 0 · Answer 7 · answered May 23 '11 at 19:26

0

A whois from the command line gets me quite a lot of information, or you can always try a Network Lookup or Whois at www.nwtools.com

answered May 23 '11 at 19:26

paradroid

23,297

How to find a domain based on the IP address?

7 Answers7

Both of following commands is OK!

Howerver, This command is NOT right!

reference links: