Enumerating subdomains hosted on a single IP address
Written on 2023/02/23
As we crawl the Web like a search engine, we have plenty of data to enumerate all subdomains (or hostnames) having DNS entries pointing to a single IP address. To do so, there is one category of information (or dataset) you can query:
- category:resolver: this is like a passive DNS database
Using the resolver category
By using the official command line tool, you can easily execute this use case in a single call:
$ onyphe -search 'category:resolver ip:1.1.1.1 -since:7M | uniq hostname'
{"hostname":"guestredirect.discovery.com"}
{"hostname":"yy.duowan.com"}
{"hostname":"one.one.one.one"}
{"hostname":"kenshoo-lab.com"}
{"hostname":"www.cp96590.com"}
{"hostname":"ieil.net"}
{"hostname":"1268475394.apollo.cdn.myqcloud.com"}
{"hostname":"active.seri.org"}
{"hostname":"bobkerrey.mkt4486.com"}
{"hostname":"wlc-mlu.ccmhky.net"}
{"hostname":"test.paysafecard.com"}
{"hostname":"learnship.today"}
{"hostname":"tsi-sandbox.net"}
{"hostname":"dapenggou.com"}
{"hostname":"staging.pd.jobtarget.com"}
{"hostname":"webportal.rejis.org"}
{"hostname":"uat-promos.turnerapps.com"}
[..]
Output has been truncated, but there are many hostnames pointing to this IP address.