Finding subdomain IPs

Posted: 2015-07-31 16:58:57 by Alasdair Keyes

Direct Link | RSS feed


While analyzing my weblogs, I noticed a my site getting crawled by a server/hostname that I'd previously been receiving spam from, they gathered site data and then sent spam based on what they'd found.

I thought it was worth stopping this, but from what I could see the site was being scanned from more than one subdomain. I could block just the hostnames that had accessed my site, but I thought it was worth taking a more proactive stance.

https://gitlab.com/snippets/1731307/raw

I wrote the attached script to try and find all subdomains so I could block the IPs.

Obviously, if AXFR zone transfer is enabled for the domain, that's the way to get the information, but most nameservers have that disabled.

The script uses the dig tool via bind-utils in Redhat based distros or dnsutils in Debian based ones.

A quick breakdown of it's use - google.com for a test...

$ ./find_subdomain.sh google.com
admin.google.com.96INA74.125.195.113
admin.google.com.43INAAAA2a00:1450:400c:c01::64
api.google.com.43INCNAMEapi.l.google.com.
api.l.google.com.96INA74.125.195.105
...
www.google.com.96INA74.125.195.147
www.google.com.43INAAAA2a00:1450:400c:c01::63

Show just IPs, not CNAME entries

$ ./find_subdomain.sh google.com -a
admin.google.com.96INA74.125.195.113
admin.google.com.43INAAAA2a00:1450:400c:c01::64
api.l.google.com.96INA74.125.195.105
...
www.google.com.96INA74.125.195.147
www.google.com.43INAAAA2a00:1450:400c:c01::63

Get just the IPs

$ ./find_subdomain.sh google.com -a -i
74.125.195.113
2a00:1450:400c:c01::64
74.125.195.105
...
74.125.195.147
2a00:1450:400c:c01::63

Get just IP v4 or v6 with the -4 and -6 switches. It will output duplicates if subdomains are on the same IPs, so filtering through sort -u is useful, using with xargs to build up iptables rules or similar.

$ ./find_subdomain.sh google.com -i -a -4 | sort -u | xargs -i echo iptables -A INPUT -s '{}' -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 108.170.217.164 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 108.170.217.165 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 108.170.217.166 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
...
iptables -A INPUT -s 64.9.224.68 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 64.9.224.69 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)


Version:master-862fb90399


Validate HTML 5