Any ideas on how to identify the real URL/owner of an Akamai IP Address?
For example, say you get a firewall alert saying that a process wants to make a connection to an IP address. Before allowing the connection you look up the IP address to see who owns the IP address. Ordinarily it will tell you who’s IP address it is, however if they’re using Akamai to serve their content, the only information you get is that it’s an Akamai IP address.
To give a real life example, say the firewall gives an alert to say it wants to make a connection to 92.122.210.123. You look up the IP info and it says it belongs to Akamai Technologies. It seems the only way I can find out who’s behind that IP address is to start recording network traffic, allow it through the firewall and watch the DNS requests/HTTP requests. In this particular case, it’s requesting a Certificate Revocation List from crl.startssl.com, but I’m wondering whether there’s a way to find this out without letting it through the firewall and packet sniffing first?
Yeah, I’ve tried looking in the DNS cache, but for some reason whenever I look, it never seems to cache the ones I’m interested in. I even tried using ipconfig /displaydns >C:\Users[UserName]\Desktop\dnscache.txt and using the Notepad search function in case I accidently missed it.
The Nirsoft program looks good, although I’m still faced with the same problem where I have to set it to capture in advance. If the connection is something that’s user triggered it’s simple enough, however if it’s a process that randomly tries to create a connection without user interaction, it’s a bit hit and miss as to when it’s going to try and make a connection.
I was hoping there was a way of somehow querying a DNS server to provide more info than just the standard lookup. Afterall, the DNS records obviously have the original domain in their lists somewhere in order to perform the lookup in the first place. It would be handy if there was some way backtrack Akamai addresses, sort of like:
As they run probably multiple names to the same IP you won’t get the correct answer doing a PTR request.
Only thing left is to run a local DNS server so you can log every request out, ISC Bind has a Windows build.