My original question was:
> I've been fooling with nslookup (whose default is to give an internet
> address for a hostname) trying to get it to do the reverse to no avail.
> I did try reading the man page and experimenting, but no luck...
>
> Can anyone tell me how to use nslookup (or some other tool) to get
> a hostname from an internet address?
>
> The particular reason at the moment is that we had some "REPEATED LOGIN
> FAILURE" messages on our console from a host identified only by
> internet number.
Thanks to everyone for the *overwhelming* response! There were 45 responses &
almost 4000 lines to glean from - thus the delay in forming a summary worthy of
the effort & kindness showed by so many. I also wanted to verify the ftp sites
and details before I posted them. Many people sent similar classes of
answers & help, so I've just picked a few representative samples. My apologies
if you're not mentioned specifically; no intent to slight anyone, but listing
all who replied would be a lot of additional bandwidth!
I did get a request to please post the summary, so I know there is at least one
other person that didn't know this - for awhile I thought I might be the only
one. :-) It was kicked around in sun-managers last Oct, but quite a bit of
additional information was sent this time than was in the last summary, so I've
summed it up again as follows.
OUTLINE of SUMMARY
------------------
I. Answers to How to get a hostname from the internet number (gethostbyaddr)
A. nslookup Shell Aliases & Scripts
1. csh
2. korne shell
3. perl
B. Programs (ftp addresses, examples)
1. host
2. dig
C. NIS (Nee YP) solution
D. General comments from a previous sun-spots summary by Manavendra K. Thakur
II. Suggestions for dealing with attempted logins
SUMMARY
---------------
I. A.: * NSLOOKUP SHELL ALIASES & SCRIPTS*
1. csh aliases <<This set complements of Clay Speicher, who noted he didn't write them>>
Many people (30+) sent aliases; this was the most complete csh set.
The trick pointed out by many is that the sun version of nslookup requires reverse
octets in the address, the alias does the reversing for you. Brad Passwaters
pointed out that the version of nslookup from the recent Bind 4.8.3 distribution
does *not* need the octets reversed. The generic sun version does.
(With sun's nslookup, You need to do the following: (lifted from MKTs posting)
-- set the query type to PTR
-- set the domain type to "in-addr.arpa" (which is a special
DNS domain for addr to name resolutions)
-- reverse the order of the octets in the IP number)
(the ptr alias does all this for you- e.g. "ptr aaa.bbb.ccc.ddd")
----------------------------cut here-------------------------------------------
alias addr "(" echo set nodefname ";" echo set q=A ";" echo \!\* ")" "|" nslookup
alias cname "(" echo set nodefname ";" echo set q=CNAME ";" echo \!\* ")" "|" nslookup
alias mx "(" echo set nodefname ";" echo set q=MX ";" echo \!\* ")" "|" nslookup
alias hinfo "(" echo set nodefname ";" echo set q=HINFO ";" echo \!\* ")" "|" nslookup
alias ns "(" echo set nodefname ";" echo set q=NS ";" echo \!\* ")" "|" nslookup
alias any "(" echo set nodefname ";" echo set q=ANY ";" echo \!\* ")" "|" nslookup
alias soa "(" echo set nodefname ";" echo set q=SOA ";" echo \!\* ")" "|" nslookup
alias mb "(" echo set nodefname ";" echo set q=MB ";" echo \!\* ")" "|" nslookup
alias ptr "(" echo set nodefname ";" echo set q=PTR ";" echo \!\$:e.\!\$:r:e.\!\$:r:r:e.\!\$:r:r:r.in-addr.arpa ")" "|" nslookup
----------------------------cut here-------------------------------------------
2. ksh functions <author unknown, from an old sun-spots summary by Manavendra K. Thakur
sent by Sam Finn>
The ptr function should do the IP address to hostname translation.
#
# Korne shell named aliases
#
function cname { { echo set querytype=CNAME; echo $*; } | nslookup; }
function mx { { echo set querytype=MX; echo $* ; } | nslookup; }
function hinfo { { echo set q=HINFO; echo $*; } | nslookup; }
function ns { { echo set q=NS; echo $*; } | nslookup; }
function any { { echo set q=ANY; echo $*; } | nslookup; }
function soa { { echo set q=SOA; echo $*; } | nslookup; }
function ptr
{
{
echo set q=PTR;
ofs=$IFS; IFS=.; set $*; IFS=$ofs;
echo $4.$3.$2.$1.in-addr.arpa;
} |
nslookup;
}
3. perl script From: Erik Sherk <sherk@nmc.cit.cornell.edu>
Try this perl script. I like this one the best because you can use if for
either domain names or IP addresses. Though, it would not be hard to modify
the above sh script to check for this.
-------------------
#!/usr/local/bin/perl
# get information about a host based on either its name or IP address
&gethostinfo($ARGV[0]);
if ( $host ) {
print "Name: $host\n";
foreach $address (@addresses) {
printf "Address: %s\n",join(".",unpack("C4",$address));
}
} else {
print "$ARGV[0]: Not found!\n";
}
sub gethostinfo {
local($name_or_addr) = $_[0];
if ($name_or_addr =~ /^\s*[a-zA-Z]/) {
($host,$aliases,$type,$length,@addresses) =
gethostbyname($name_or_addr);
}
else {
local($AF_INET) = 2;
local($address) = pack("C4",split(/\./,$name_or_addr));
($host,$aliases,$type,$length,@addresses) =
gethostbyaddr($address,$AF_INET);
}
$host;
}
-------------------
I.B.: *PROGRAMS*
----------------
1. host
via anonymous FTP from
tut.cis.ohio-state.edu in dir pub/nameserver as host.[1c]
(Chuck Hedrick/Rutgers is responsible for it.)
A somewhat modified version is available from
cs.toronto.edu:pub/host.tar.Z. The mods were mostly for portability
(to get it to work on our Ultrix systems, SunOS3.5 Suns and SGIs),
plus a simple enhancement to allow it to accept multiple hosts to
resolve. (NB - didn't try this)
2. dig <thanks to Mark Henderson & Dave Curry, smb@ulysses.att.com,
Kean Stump & many others...>
>> Dig (Version 2.0) - DNS query program required to run `doc`
>> Available via anonymous ftp from:
>> venera.isi.edu. (131.151.1.7) pub/dig.2.0.tar.Z or
>> prelinked with resolv.a as dig-obj.[sparc,sun3,vax].tar.Z
>>
>> also from talon.ucsd.orst.edu (128.193.128.166) pub/dig.2.0.tar
Dave Curry (davy@itstd.sri.com) sent the following example of "dig -x ip-addr"
(you can also use dig with the internet host name - e.g. "dig franklin.ee.umr.edu")
A much more informative response can be obtained with what I think is a
much more useful tool, "dig". Version 2.0 also lets you type the address
in the "normal" order without having to tack on all that .in-addr.arpa
stuff. For example:
% dig -x 131.151.4.1
; <<>> DiG 2.0 <<>> -x
;; ->>HEADER<<- opcode: QUERY , status: NOERROR, id: 6
;; flags: qr rd ra ; Ques: 1, Ans: 1, Auth: 4, Addit: 4
;; QUESTIONS:
;; 1.4.151.131.in-addr.arpa, type = ANY, class = IN
;; ANSWERS:
1.4.151.131.in-addr.arpa. 23254 PTR umree.ee.umr.edu.
;; AUTHORITY RECORDS:
151.131.in-addr.arpa. 518273 NS NS.UMR.EDU.
151.131.in-addr.arpa. 518273 NS EMGTRT1.EMGT.UMR.EDU.
151.131.in-addr.arpa. 518273 NS EEC.UMR.EDU.
151.131.in-addr.arpa. 518273 NS N2NGW.NYSER.NET.
;; ADDITIONAL RECORDS:
NS.UMR.EDU. 172673 A 131.151.1.7
EMGTRT1.EMGT.UMR.EDU. 172673 A 131.151.9.2
EEC.UMR.EDU. 172673 A 192.65.97.1
N2NGW.NYSER.NET. 172673 A 192.35.82.2
;; Sent 1 pkts, answer found in time: 13 msec
;; FROM: intrepid.itstd.sri.com to SERVER: default -- 128.18.4.39
;; WHEN: Thu Sep 13 08:46:08 1990
;; MSG SIZE sent: 42 rcvd: 254
-----------------------------------------
I.C. NIS (Nee YP) solution <From ktk@capybara.nas.nasa.gov>
----------------
If you are running yp, you can use it to do the reverse query for you:
%ypmatch aaa.bbb.ccc.ddd hosts.byaddr
aaa.bbb.ccc.ddd foo.bar
Hope this helps. you should read about the in-addr.arpa domain in the
DNS rfcs.
I.D. General Comment from previous summary by Manavendra K. Thakur thakur@cfa.harvard.edu
(sent to me by Samm Finn)
-----------------------------------------------------------------------------------------
A number of people made the observation that the nslookup syntax for
gethostbyaddr calls is terrible and that the "host" program (available
from rutgers.edu) is "simpler" and "does things like this much nicer
than nslookup." Unfortunately, the host.c code won't compile on a Sun
3 running SunOS 4.0.3. Looks like some definitions and declarations
are missing in the Sun version of some of the standard include files.
Dan Transue <odt@ctt.bellcore.com> sent a mail message, however,
indicating that Sun 3 and Sun 4 binaries of the host program can be
retrieved via anonymous ftp from tut.cis.ohio-state.edu.
About the nslookup vs. host issue, I would say that nslookup is
probably best suited to debugging than anything else. It allows you
to specify the server you want to connect with, and it provides
information about authoritative servers for a given domain as well as
handle MX, HINFO, and other query types. I would wholeheartedly agree
that if all you want to do is match up a hostname with an IP number
(or vice versa), then programs like host are far more preferable.
One last observation:
David Brownell <db@East.Sun.COM> cautioned that a number of
authoritative nameservers aren't configured properly to handle addr to
name resolutions, and Mike Walker <mike@cfdl.larc.nasa.gov> added that
you should "Complain to the appropriate hostmaster if that seems to be
the case." David also pointed out that of course you also have to
have full network connectivity to reach nameservers in other domains.
II. For Dealing with attempted logins
- original posting was:
--------------------------------------
>The particular reason at the moment is that we had some "REPEATED LOGIN
>FAILURE" messages on our console from a host identified only by
>internet number.
From henderso@abacus.mcs.anl.gov
Other things that you could try is traceroute to the number and see
what shows up on the way. I've found that many departments within a
domain don't bother to register with their name server. But you can
then call the higher level domain admin. and ask then what/who the IP
number belongs to.
-----------
From: fuat@columbia.edu U.S. MAIL: Columbia University
Yeah, we get a lot of them too. If the attempts appear to be
malicious (e.g. login failures by someone trying to guess "root",
"bin", "system", etc. I recommend following it up with the originating
sites administrators, with a copy to CERT (cert@cert.sei.cmu.edu).
-----------
From d3e101@ems10 Bill Eggers
There have been complicated ways using nameservers mentioned, but you could try
one simple method. Since you have an Internet address, you could just
telnet to it and see what the login banner says the hostname is. It's
possible this host has not been entered into any nameserver, so they
wouldn't know its hostname.
You can also finger the Internet address to find out the username(s) logged
into it, if you need a name to blame something on.
(NB: BTW, I had done this, but none of the current users had been logged in at the
time of the infraction.)
*THE END*
-------------------
"O, Lord that lends me life, lend me a heart replete with thankfulness!"
William Shakespeare: Henry VI, Part II; Act I, sc. 1, 1.19
Thanks again to all who posted!!
-- Wayne Little Internet: rwl@ee.umr.edu Phone: (314) 341-4546
USPS: Univ. of Missouri-Rolla, EE Dept., Rolla, MO 65401
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:05:58 CDT