Incoming links: DNS database
This is a dark art, and many of the sources are shady as fuck! We often have no idea of their methodology. Also no source is fully complete. We just piece up as best we can.
In order to explore IPs in known IP ranges, what we need are good DNS databases.
- www.zone-h.org/archive/ip=208.76.80.93/page=11?hz=1 mentions
newsupdatesite.comand mentions "defacement", the "Mass Deface III" pastebin comes to mind. No other nearby hits on quick inspection.
A "DNS database" is a database that stores DNS records, notably A-records, which IP a domains is hosted at.
For currently live domains, domain to IP can of course be easily determined on the fly by just resolving the domain like the browser does, e.g.
cirosantilli.comWhat is hard however is:
- the other way around is harder however: given an IP, list all domains that it hosts. This is known as "reverse IP" searching.
- historic data, i.e. what was the IP for a given domain at a given date and vice versa
As of 2023, working with DNS data is just going through a mish-mash of closed datasets/expensive APIs.
We really need some open data in that area.
- opendata.stackexchange.com/questions/1951/dataset-of-domain-names
- opendata.stackexchange.com/questions/2110/domain-name-system-record-a-database
- webmasters.stackexchange.com/questions/33395/find-the-ip-address-of-expired-domains/142751#142751
- superuser.com/questions/686195/how-to-find-the-last-ip-used-for-an-expired-domain-name/1793224#1793224
Some links of interest:
- bushart.org/topic/ip
- archive.org/details/internet-mapping
- stackoverflow.com/questions/307553/possible-to-download-entire-whois-database-list-of-registered-domains (deleted question, see archives)
- www.reversedns.ch/en/ has some OK reverse IPs, but you have to do them one by one with CAPTCHA, and we were already past that point when that source was found, so nothing new was found on it yet
- iphistory.net/ announced at www.reddit.com/r/OSINT/comments/1bip8j7/iphistorynet_find_historic_ip_addresses_from/
This is the most accessible DNS database online, as it does not require login or payment.
They have reasonable data. It's not fully complete as Ciro Santilli saw on CIA 2010 covert communication websites, but it is very valuable.
Tested as of 2025, they seem to have removed the pre-IP checks on web interface, and just instead use Cloudfare to check that you are human from time to time, which allows for a lot manual searching to be done! Awesome!
Previously, tou could only get about 250 queries on the web interface, then 250 queries per free account via API. They check your IP when you signup, and you can't sign in twice from the same IP. They also state that Tor addresses are blacklisted. They also normalize dots in gmail addresses, so you need more diverse email accounts. But they haven't covered the
.gmail vs .googlemail trick.Their data is also quite disjoint from the data of the 2013 DNS Census. There is some overlap, but clearly their methodology is very different. Some times they slot into one another almost perfectly.