Skip to main content
Splunk Lantern

FQDN associated with an IP address

Attackers can build their malware to look for a domain to call home to, but the IP address behind it can change on an as-needed basis. This limits the effectiveness of blacklisting IP addresses. What might be a bad IP address today could be good later this week and vice versa. Determining the FQDN behind an IP address can useful when:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

An attacker logged into your web server and downloaded a file from an external website. They then used that file to deface your corporate website. You have the IP address the file came from but want to find the fully qualified domain name. 

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Splunk Stream. You can replace this source with any other web server data or DNS data used in your organization.

Option 1

Use this option if you know the name of the file used to deface your website. Otherwise, skip to option two.

  1. Enter the following into the search bar:
dest=<IP address receiving the request> "<name of file>" src=<IP address of the web server>
  1. In the field sections on the left, find and click sourcetype.
  2. Click a sourcetype to add it to the search.
  3. In the field sections on the left, find and click url.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

dest=<IP address receiving the request> 

Search data going to this IP address.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest="192.0.2.0" OR dest_ip="192.0.2.0")

Example:
(dest="192.0.2.0" OR dest="example.com")

"<name of file>" 

Search for the file used to deface the website.

src=<IP address of the web server>

Search data coming from this IP address.

Option 2

Use this option if you do not have a file name.

  1. Run the following search:
answer=<IP address receiving the request> sourcetype=stream:dns |stats values("name{}")
  1. In the field sections on the left, find and click sourcetype.
  2. Click a sourcetype to add it to the search.
  3. In the field sections on the left, find and click url.

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

answer=<IP address receiving the request> 

Search data going to this IP address.

sourcetype=stream:dns 

Search only Stream dns data.

|stats values("name{}")

Return the values in the name field.

Result

The domain shown in the results is the domain associated with the IP address the file was downloaded from. You can use open source intelligence (OSINT) to find a domain name and other IP addresses associated with the one you found in the investigation. 

  • Was this article helpful?