IP address -> Host names

I want to know what host names are handled by a web server of a certain IP address. For instance, the domains www.domain1.com and www.domain2.com could be located ont he same webserver via the IP address, but how can I get a list of all the host names handled by this specific webserver?

PS. This was also posted in the Misc topic. Someone there suggested I asked the question in Networking instead. Should I delete the other entry?

Who is Participating?
Ok, how to answer this.

MS - If you have access to the local machine - To view the current DNS cache content and the entries preloaded from the Hosts file, go to the command prompt and type
C:\> ipconfig /displaydns

For Unix/Linux - You have to send the named process a signal to tell it to dump its authoritative data and cache to a file, usually called named_dump.db. On HP-UX, you can use sig_named dump. On Linux, you can use ndc dumpdb. If you don't have either sig_named or ndc, you can use kill -INT .

If you are trying to see a remote web server’s DNS cache. In other words you want to look at my DNS cache from your location - it is my understanding that it is not possible because the DNS names are cached into memory not physically store. Root name servers contain physical records like Network Solutions and you can look at their records using the WHOIS tool.

When the Network Solutions systems received your request, it checks its WHOIS record for yourdomain.com. Since yourdomain.com is pointing to XX servers (dns1.XX.com and dns2.XX.com), Network Solutions forwards your request to XX network.

Let me know if I’m wrong or if there is a tool out that does it. I would like to have it also.
Hope this Helps.....
afaik, you should get it from the respective web server configuration, e.g., IIS, apache
what's the webserver?
If you have access to the dns server you can do in nslookup an ls domain1.com.
If you have access to the webserver you can check the virtual hosts it is serving and this gives you also a list of the domains it is using.
If you do not have to either the webserver or the dns server this would mean that you are trying to find out information which you shouldn't :)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

HermundAuthor Commented:
So I guess it's not possible.

Well, I don’t like saying it’s not possible because it is probably being built as we speak. Much effort has been put into protecting DNS stores and how they are cached.

There are several security groups out there that may have tools available - but none in the public sector that I can see.
You use nslookup

> ?
Commands:   (identifiers are shown in uppercase, [] means optional)
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)
view FILE           - sort an 'ls' output file and view it with pg
exit            - exit the program

> ls x.com
*** Can't list domain x.com: Query refused

To convert an IP address into a host name, you use NSLOOKUP as follows  (example of

 > set type=ptr
 (nslookup will display the associated inverse DNS record address-> name)

If the machine is a virtual host, it will likely return the primary name of the machine. Off hand, without access to the appropriate configuration files on that machine, I don't know of a way of enumerating all of the URLs that are serviced by that particular host (it gets even more complex, the host may have multiple addresses, each of which resolves to a different name).

I hope that the above is helpful.

- Bob (aka RLGSC)
Is this a public web server, or one you control?

What web sdeerfver software is it running?

If you do not control the server, why do you need this information?
HermundAuthor Commented:

I do control the server. Sometimes it's hard to remember all the host names it's supposed to handle.
HermundAuthor Commented:
It runs IIS.
Courtesy of the IIS FAQ site:

' Chris Crowe
' IISFAQ Web Site
' http://www.iisfaq.com
' September 24, 2000
' Show ALL WWW Sites

Set IISOBJ = getObject("IIS://LocalHost/W3SVC")
For each Object in IISOBJ
      if (Object.Class = "IIsWebServer") then
            WScript.Echo "WWW Site: " & Object.Name & " - " & Object.ServerComment
      end if

Save the above to a text file with the extension vbs.

The syntax for the command is "cscript %vbscriptname%.

You need to run the script either on the server, or remotely. If running remotely, change localhost to your server name. You must have privileges on the server concerend.

Hope this helps
DNS never really needed to come into it if you have access to the server
HermundAuthor Commented:
Thanks for the answer!

But won't that script only say which host names are actually handled by defined websites? I would like to know all domains that are directed to our webserver's IP address.

Is that possible?

The script will only do that (ie. read the host headers), but DNS will not tell you this information either.

If you have a web site called www.monday.com, and its default page is default.asp. If you have  a redirect from this page to www.tuesday.com, it is a different domain, but the DNS entry will not tell you this.

If you want to determine what FQDN's map to your server IP address from the Internet and your Intranet, then DNS may give you this information. I believe the record you are seeking is the CNAME record.

The script will list all the web sites regardless of IP address

Here is another script that may help. Again from iis FAQ.


I don't know your level of experience, but IIS an get very scary very quickly if you are new to it. Microsoft Press do some pretty good books on it. For IIS4 I originally used as a starting point Running Internet Information Server. This will alos helpn with IIS5, as the two products are not dissimilar. If you are using IIS6, there are a variety of reference books available.
1) http://www.geektools.com/whois.php

Type IP address -
Names - use the www.verisign.com 
2) Use IDserver.exe - found at www.grc.com - made by Steve Gibson for this purpose.

It is really simple: Shoot out and see what you get to. That also covers the case when the DNS is misconfigured...
There's no way to get a complete list (it would basically involve querying every single possible hostname on the Internet for your IP address, which isn't possible).  However, you could setup logging of the site's Hostname and see what turns up.   This would be done in logging Properties under "Extended Properties", and checking Host (cs-host).  

Note you may want to configure this only on the 'default' website for the server's IP address, and make sure all the virtual websites are configured via Host Headers.  This way you'd only have one logfile to review, and it won't mess up any web stats programs running for the sites.  It's also a good security practice since it prevents someone from finding out which site(s) you host by going to the server's IP address in their browser.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.