Is nslookup the best there is for reverse IP address to domainname?

Discussion in 'Wireless Internet' started by Clément Durand, Aug 12, 2014.

  1. Is there a better Linux command than nslookup for reverse IP
    address to domain searches?

    I only found out about "conntrack" yesterday, so, I don't
    fully understand if there is a better way to find out all the IP
    addresses a household is using - but the gist of conntrack
    seems to be that my Ubiquiti Rocket M2 Linux rooftop WiFi
    transceiver (which is similar to your DSL or cable modem)
    reports in its /proc/net/nf_conntrack file, an ever-changing
    list of destination IP addresses of the form:
    dst=74.125.20.188
    dst=173.208.193.106
    dst=207.171.163.142
    etc.

    I can manually determine the domain name using any of a number
    of web-based lookup tools, e.g.,
    http://www.ipchecking.com/
    http://reverseip.domaintools.com/
    http://www.ip-adress.com/reverse_ip/
    etc.

    But with a hundred at a time, it's probably better to run a
    script from the linux command line to awk out the IP addresses
    and then run a reverse IP lookup from the mini Linux on the
    rooftop radio.

    Googling for how to run a reverse IP lookup from the command line
    for Linux, the most commonly suggested is /usr/bin/nslookup, e.g.,
    $ nslookup 74.125.20.188 => pe-in-f188.1e100.net
    $ nslookup 173.208.193.106 => superbserver-online.us
    $ nslookup 207.171.163.142 => s3-1-w.amazonaws.com
    etc.

    That's OK, but often it gives nothing useful.

    Is there a better Linux command than nslookup for reverse IP
    address to domain searches?

    Note: Unfortunately these commands are not available on the router:
    dig +noall +answer -x 74.125.20.188
    host 74.125.20.188
    getent hosts 74.125.20.188
    nbstat -a 74.125.20.188
    ping -a 74.125.20.188
     
    Clément Durand, Aug 12, 2014
    #1
    1. Advertisements

  2. Clément Durand wrote, on Tue, 12 Aug 2014 02:25:20 +0000:
    nslookup is ok, but most of the time, nslookup reports nothing.

    :(

    tail /proc/net/nf_conntrack|awk '{print $7}'
    src=74.125.103.57
    src=157.55.135.18
    src=173.194.25.148
    src=23.235.255.22


    tail /proc/net/nf_conntrack|awk '{print $7}'|sed -e 's/src=/nslookup /'
    nslookup 74.125.103.57
    nslookup 157.55.135.18
    nslookup 173.194.25.148
    nslookup 23.235.255.22

    tail /proc/net/nf_conntrack|awk '{print $7}'|sed -e 's/src=/nslookup /'>/tmp/script
    chmod u+x /tmp/script
    /tmp/script

    The result is that all of those IP addresses come up blank with nslookup.

    Is there a better Linux command line tool for reverse IP lookups?

    NOTE: These are not available on the Ubiquiti Rocket M2 radio.
    dig +noall +answer -x 74.125.20.188
    host 74.125.20.188
    getent hosts 74.125.20.188
    nbstat -a 74.125.20.188
     
    Clément Durand, Aug 12, 2014
    #2
    1. Advertisements

  3. $ dig +short -x [ip address]

    if the command isn't available ssh into a vps and do it from there.
    Digital Ocean will spin up a vps for $5 a month and you dig all day
    long.
     
    Marek Novotny, Aug 12, 2014
    #3
  4. Marek Novotny wrote, on Mon, 11 Aug 2014 22:08:34 -0500:
    I'm sure dig works nicely, but, as stated, it's not installed on
    the router operating system.
     
    Clément Durand, Aug 12, 2014
    #4
  5. Clément Durand

    mroberds Guest

    It isn't a requirement that any given IP address also has a DNS entry;
    it's OK for nslookup to have no answer for some IP addresses. Almost
    any given IP address *should* have a "whois" record, which indicates
    who that block of addresses is assigned to. The command-line tool
    whois can be used to look this up.

    The simplest query is like this:

    whois 74.125.103.57

    which tells me that that IP address is in a block assigned to Google.
    If you don't have the command-line 'whois' tool on your radio, a desktop
    Linux distribution will. There are also many online 'whois' tools that
    can be used from a web browser. I don't know if Windows ships with a
    whois tool or not.
    Google again.
    This is part of a big block (23.235.224.0/19) assigned to Secured
    Servers LLC in Tempe, Arizona. Secured Servers has in turn "sublet"
    some of this block (23.235.255.0/24) to MC Pro Hosting of Fort
    Lauderdale, FL. (See the "Found a referral..."

    Matt Roberds
     
    mroberds, Aug 12, 2014
    #5
  6. mroberds wrote, on Tue, 12 Aug 2014 03:52:57 +0000:
    Hi Matt,

    Thanks for suggesting "whois" and for running the tests.

    I just logged into the rooftop radio to test if "whois" is there:

    $ ssh 191.168.1.20 -l ubnt -p 22 (login=ubnt, ssh port=22)

    BusyBox v1.11.2 (2014-02-05 18:21:05 EET) built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    XM.v5.5.8# whois 74.125.103.57
    -sh: whois: not found

    Drat. As you had surmised, "whois" isn't on the radio linux.

    But, you're right. The "whois" command worked just fine on
    a desktop Linux, so, what I can do is somehow figure out how to
    "rcp" the radio /proc/net/nf_conntrack to my Linux machine.

    I tried "rcp" & "ftp" but neither was found on the Radio Linux.

    Do you know of a way to get the entire /proc/net/nf_conntrack
    over to my Linux machine?
     
    Clément Durand, Aug 12, 2014
    #6
  7. Yes, but why not just obtain the list of IPs and run your script on your
    desktop? If the device is missing crucial commands you might not really
    have a choice here.
     
    Marek Novotny, Aug 12, 2014
    #7
  8. Clément Durand wrote, on Tue, 12 Aug 2014 03:18:26 +0000:
    If I could just get the entire /proc/net/nf_conntrack file over
    from the radio to the Linux desktop, that would allow all the
    power of the desktop Linux.

    Unfortunately, neither ftp nor rcp is on the radio Linux.
     
    Clément Durand, Aug 12, 2014
    #8
  9. Marek Novotny wrote, on Mon, 11 Aug 2014 23:26:44 -0500:
    Hi Marek,
    That makes sense. The main stumbling block is that the nf_conntrack file
    can be ten thousand lines long, and cutting and pasting is problematic.

    So, the problem is only *how* to get a file from the rooftop radio to
    the Linux desktop.

    Unfortunately both rcp and ftp are not on the rooftop radio, which is
    a Ubiquiti Rocket M2 WiFi transceiver & antenna at 2.4GHz.
     
    Clément Durand, Aug 12, 2014
    #9
  10. See if you have scp.
     
    Marek Novotny, Aug 12, 2014
    #10
  11. Clément Durand

    Eef Hartman Guest

    As you got ssh to the radio, scp (which is an internal rcp-like
    protocol OF the sshd daemon) should be available too.
     
    Eef Hartman, Aug 12, 2014
    #11
  12. Clément Durand

    Jasen Betts Guest

    ssh user@host_address cat /path/to/remote/file > local_file
     
    Jasen Betts, Aug 12, 2014
    #12
  13. Marek Novotny wrote, on Mon, 11 Aug 2014 23:48:08 -0500:
    I had never even heard of "scp", but, yep, it's there!

    XM.v5.5.8# scp
    usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
    [-l limit] [-o ssh_option] [-P port] [-S program]
    [[user@]host1:]file1 [...] [[user@]host2:]file2
     
    Clément Durand, Aug 12, 2014
    #13
  14. Eef Hartman wrote, on Tue, 12 Aug 2014 05:16:39 +0000:
    Yes, it is!

    XM.v5.5.8# scp
    usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
    [-l limit] [-o ssh_option] [-P port] [-S program]
    [[user@]host1:]file1 [...] [[user@]host2:]file2

    I had tried that command, but I think my linux laptop doesn't have
    the SSH port 22 enabled:

    XM.v5.5.8# scp nf_conntrack laptop:/tmp/foo.txt
    /usr/bin/dbclient: Exited: Error resolving 'laptop' port '22'.
    Name or service not known
    lost connection

    Someone also had suggested:

    $ ssh user@host_address cat /path/to/remote/file > local_file

    Which, for administrator=ubnt at the rooftop radio 192.168.1.20
    given the ssh port is 2200, worked perfectly as a linux desktop command!

    $ ssh -p 2200 lbnt@192.168.1.20 cat /proc/net/nf_conntrack > /tmp/nf.txt
     
    Clément Durand, Aug 12, 2014
    #14
  15. Marek Novotny wrote, on Mon, 11 Aug 2014 23:48:08 -0500:
    Hi Marek,

    I think my linux laptop doesn't have the SSH port 22 enabled:

    XM.v5.5.8# scp nf_conntrack laptop:/tmp/foo.txt
    /usr/bin/dbclient: Exited: Error resolving 'laptop' port '22'.
    Name or service not known
    lost connection

    But, luckily, this worked from the linux laptop (given the
    rooftop radio administrator name is "ubnt" and the IP address of
    the rooftop radio is 192.168.1.20 & the ssh port is 2200):

    $ ssh -p 2200 lbnt@192.168.1.20 cat /proc/net/nf_conntrack > /tmp/nf.txt

    The result was that I never left the Linux laptop, and the
    rooftop radio's nf_conntrack file was put in the laptop tmp
    directory.

    Now the full use of Linux is available!
     
    Clément Durand, Aug 12, 2014
    #15
  16. Clément Durand wrote, on Tue, 12 Aug 2014 14:55:16 +0000:
    Interestingly, what the "-port" syntax worked, the "colon" syntax did not:

    This worked:
    $ ssh -p 2200 lbnt@192.168.1.20 cat /proc/net/nf_conntrack > /tmp/nf.txt
    This failed:
    $ ssh lbnt@192.168.1.20:2200 cat /proc/net/nf_conntrack > /tmp/nf.txt
    ssh: Could not resolve hostname 192.168.1.20:2200: Name or service not known
     
    Clément Durand, Aug 12, 2014
    #16
  17. Clément Durand

    mroberds Guest

    Since you can ssh into the radio, scp from the desktop Linux machine
    might work:

    $ scp -P 22 ubnt@191.168.1.20:/proc/net/nf_conntrack nf_conntrack

    This should give you a copy of the radio's nf_conntrack file in the
    current directory on the desktop Linux box.

    Otherwise, you might be able to do something like this, starting on
    the desktop box:

    desktop$ script conntrack.txt
    Script started, file is conntrack.txt
    desktop$ ssh 191.168.1.20 -l ubnt -p 22
    radio# cat /proc/net/nf_conntrack
    [contents of file appear here]
    radio# logout
    desktop$ exit
    Script done, file is conntrack.txt

    This will put everything that came to the screen in conntrack.txt on the
    desktop box. It will include control characters and stuff, so you'll
    have to edit that out of conntrack.txt with your favorite text editor
    before proceeding.

    Matt Roberds
     
    mroberds, Aug 12, 2014
    #17
  18. duh. :) Thanks!
     
    Marek Novotny, Aug 12, 2014
    #18
  19. Clément Durand

    HASM Guest

    Have you tried scp from the machine where you ssh from?
    scp ubnt@191.168.20:/proc/net/nf_conntrack
    -- HASM
     
    HASM, Aug 12, 2014
    #19
  20. mroberds wrote, on Tue, 12 Aug 2014 15:37:49 +0000:
    Hi Matt,
    The scp command, from Linux, worked perfectly.
    Thanks Matt, as that's a very nice command!
    It has a lot of funky characters in the results, but other
    than that, it's a really nice trick!

    1. Start the script on the Linux laptop:
    $ script /tmp/net.script
    2. Log into the rooftop modem (transceiver):
    $ ssh -p 2200 -l ubnt 192.168.1.20
    3. Spit out the file:
    # cat /proc/net/nf_conntrack nf_conntrack
    4. Exit out of the radio
    # exit
    5. Exit out of the script
    $ exit
    6. Strip the funky characters out of the results:
    $ col -b /tmp/net.script > /tmp/net.txt
     
    Clément Durand, Aug 12, 2014
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.