Public DNS & Network record queries

One of the first steps in a security review conducted via the public Internet networks, is to gather the information available publicly about the target of the test.

You might also want to query these records to confirm that the information that needs to be publicised about a network is in fact publicly available, or being publicised correctly.

This information is freely available since it is necessary for devices to be able to resolve IP address details and plot the routes to get to the servers as part of normal communications via the Internet.

There are many places where you can get the information, but I like to make use of these two services:

• http://nwtools.com – The original site for this was http://network-tools.com/, but it was not functioning correctly at the time of me writing this article.

• http://geektools.com

Here are some examples of the outputs obtained from them. I will pick on google.com again for my examples:

http://nwtools.com

• There are a number of individual utilities available (e.g. Ping, Lookup, DNS Records, Network Lookup, etc), but they also have a handy one which executes them all at once to give you a nice complete output to work with - they call it Express. The example below is what resulted upon submitting this request for "google.com":

  http://nwtools.com/default.asp?prog=express&host=google.com

IP address: 64.233.167.99 Host name: google.com TraceRoute to 64.233.167.99 [google.com] Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 66.98.244.1 gphou-66-98-244-1.ev1.net 2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1.net 3 0 0 0 66.98.240.14 gphou-66-98-240-14.ev1.net 4 1 1 1 129.250.11.141 ge-1-3-0.r02.hstntx01.us.bb.gin.ntt.net 5 9 7 7 129.250.5.30 as-0.r20.dllstx09.us.bb.gin.ntt.net 6 8 7 6 193.251.241.189 so-0-1-0-0.dalcr2.dallas.opentransit.net 7 32 32 30 193.251.128.114 po0-0.chicr2.chicago.opentransit.net 8 29 29 27 193.251.249.30 - 9 27 29 29 66.249.95.253 - 10 29 27 27 66.249.95.247 - 11 30 29 30 66.249.94.133 - 12 41 35 37 64.233.175.42 - 13 29 29 30 64.233.167.99 - Trace complete Xwhois query for google.com... Results returned from whois.markmonitor.com: MarkMonitor.com - The Leader in Corporate Domain Management ---------------------------------------------------------- For Global Domain Consolidation, Research & Intelligence, and Enterprise DNS, go to: www.markmonitor.com ---------------------------------------------------------- The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. MarkMonitor.com does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems). MarkMonitor.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Registrant: Google Inc. (DOM-258879) Please contact contact-admin@google.com 1600 Amphitheatre Parkway Mountain View CA 94043 US Domain Name: google.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Administrative Contact: DNS Admin (NIC-14290820) Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6506234000 Fax- +1.6506188571 Technical Contact, Zone Contact: DNS Admin (NIC-1340144) Google Inc. 2400 E. Bayshore Pkwy Mountain View CA 94043 US dns-admin@google.com +1.6503300100 Fax- +1.6506181499 Created on..............: 1997-Sep-15. Expires on..............: 2011-Sep-14. Record last updated on..: 2006-May-17 11:10:55. Domain servers in listed order: NS3.GOOGLE.COM NS4.GOOGLE.COM NS1.GOOGLE.COM NS2.GOOGLE.COM MarkMonitor.com - The Leader in Corporate Domain Management ---------------------------------------------------------- For Global Domain Consolidation, Research & Intelligence, and Enterprise DNS, go to: www.markmonitor.com ---------------------------------------------------------- Retrieving DNS records for google.com... DNS servers ns4.google.com [216.239.38.10] ns3.google.com [216.239.36.10] ns2.google.com [216.239.34.10] ns1.google.com [216.239.32.10] Answer records google.com 1 A 72.14.207.99 300s google.com 1 A 64.233.187.99 300s google.com 1 A 64.233.167.99 300s google.com 1 TXT v=spf1 ptr ?all 300s google.com 1 MX preference: 10 exchange: smtp1.google.com 3600s google.com 1 MX preference: 10 exchange: smtp2.google.com 3600s google.com 1 MX preference: 10 exchange: smtp3.google.com 3600s google.com 1 MX preference: 10 exchange: smtp4.google.com 3600s google.com 1 NS ns1.google.com 345600s google.com 1 NS ns2.google.com 345600s google.com 1 NS ns3.google.com 345600s google.com 1 NS ns4.google.com 345600s google.com 1 SOA server: ns1.google.com email: dns-admin@google.com serial: 2006071803 refresh: 7200 retry: 1800 expire: 1038800 minimum ttl: 60 86400s Authority records google.com 1 NS ns1.google.com 345600s google.com 1 NS ns2.google.com 345600s google.com 1 NS ns3.google.com 345600s google.com 1 NS ns4.google.com 345600s Additional records smtp1.google.com 1 A 216.239.57.25 600s smtp2.google.com 1 A 64.233.167.25 600s smtp3.google.com 1 A 64.233.183.25 600s smtp4.google.com 1 A 66.102.9.25 600s ns1.google.com 1 A 216.239.32.10 345600s ns2.google.com 1 A 216.239.34.10 345600s ns3.google.com 1 A 216.239.36.10 345600s ns4.google.com 1 A 216.239.38.10 345600s Network IP address lookup: Xwhois query for 64.233.167.99... Results returned from whois.arin.net: OrgName: Google Inc. OrgID: GOGL Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US NetRange: 64.233.160.0 - 64.233.191.255 CIDR: 64.233.160.0/19 NetName: GOOGLE NetHandle: NET-64-233-160-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.GOOGLE.COM NameServer: NS2.GOOGLE.COM Comment: RegDate: 2003-08-18 Updated: 2004-03-05 RTechHandle: ZG39-ARIN RTechName: Google Inc. RTechPhone: +1-650-318-0200 RTechEmail: arin-contact@google.com OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc. OrgTechPhone: +1-650-318-0200 OrgTechEmail: arin-contact@google.com # ARIN WHOIS database, last updated 2006-07-18 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database

http://geektools.com

• similar information can be obtained by using the tools at geektools.com. Here is an example of using the “Dig DNS Interface” link on http://geektools.com/tools.php which points to: http://geektools.com/digtool.php

• a query for “google.com” results in an HTTP POST request which effectively can be represented as this GET request:
  
  http://geektools.com/cgi-bin/do-dig.cgi?domain=google.com&dtype=ANY&target=&dig=Dig

; <<>> DiG 8.2 <<>> @ google.com ANY ; Bad server: -- using default server and timer opts ; (3 servers found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0 ;; QUERY SECTION: ;; google.com, type = ANY, class = IN ;; ANSWER SECTION: google.com. 3d13h49m20s IN NS ns4.google.com. google.com. 3d13h49m20s IN NS ns1.google.com. google.com. 3d13h49m20s IN NS ns2.google.com. google.com. 3d13h49m20s IN NS ns3.google.com. ;; AUTHORITY SECTION: google.com. 3d13h49m20s IN NS ns4.google.com. google.com. 3d13h49m20s IN NS ns1.google.com. google.com. 3d13h49m20s IN NS ns2.google.com. google.com. 3d13h49m20s IN NS ns3.google.com. ;; Total query time: 0 msec ;; FROM: gp.centergate.com to SERVER: default -- 204.74.68.5 ;; WHEN: Wed Jul 19 04:26:09 2006 ;; MSG SIZE sent: 28 rcvd: 15