Use linux Dig command to find the full ip address range of a domain?

Question

I need to find all IP addresses of certain websites (e.g. netflix.com). However, I want to use the Dig command but when I do something like

$ dig TXT +short netflix.com 

and gives me the following data. First, what does this mean. I have all of google IP addresses by the way. But not sure about amazonses.com. I also thing the IP addresses is giving me is very limited.

"v=spf1 ip4:69.53.224.0/19 ip4:165.193.233.164/30 ip4:205.139.44.20 ip4:66.150.112.120  
ip4:205.139.45.20 ip4:209.177.164.2 ip4:54.84.21.177 ip4:54.85.33.189 include:_spf.google.com 
include:amazonses.com -all"

Please hep, I will really appreciate it.

Thank you in advance!

Answer 1

Short answer: You can't do what it sounds like you want.

Longer answer: Getting all IP addresses for a certain website is simply a question of issuing an A and an AAAA DNS query for its name. That will give you all the published addresses for that site. But, and I'm guessing here, it sounds like that's not what you want. If what you want is to find out which IP ranges are assigned to Netflix the corporation, you can find that by looking it up in the various RIR databases (easiest via whois, as Sami says in a comment up there). Most of those addresses probably aren't being used for their web servers (but for mail, VPN, internal communications and such). Also, it's likely that a lot of their web presence aren't on those IP addresses, but on addresses belonging to some CDN.

You need to ask a better question if you want to get a useful answer.

Answer 2

That big string is Netflix' SPF record. It's an email thing and tells the world what servers it should expect netflix.com email from.

Finding all of a website's IP addresses can be a pretty tough thing in the general case. One answer that's often enough is to just trust whatever the DNS server is giving you as the A record for that domain at the time:

% dig netflix.com
netflix.com.            74      IN      A       69.53.236.17

Some websites will have several records, and will let you know those up front:

% dig google.com
google.com.             205     IN      A       173.194.33.103
google.com.             205     IN      A       173.194.33.110
google.com.             205     IN      A       173.194.33.96
google.com.             205     IN      A       173.194.33.105
google.com.             205     IN      A       173.194.33.100
google.com.             205     IN      A       173.194.33.97
google.com.             205     IN      A       173.194.33.99
google.com.             205     IN      A       173.194.33.102
google.com.             205     IN      A       173.194.33.98
google.com.             205     IN      A       173.194.33.104
google.com.             205     IN      A       173.194.33.101

Depending on the site, things can get tricky in a hurry. Many sites, especially larger ones, will give you a different set of records at different times (or for each time you ask):

% dig indeed.com
indeed.com.             19      IN      A       50.97.195.27
% dig indeed.com
indeed.com.             30      IN      A       50.97.35.152

And some will give you a different address depending on which part of the world you're in. Like wordpress.com from India:

Seattle WA, United States: 192.0.78.9, 192.0.78.17
Montreal QC, Canada: 192.0.78.9, 192.0.78.17
Paris, France: 192.0.78.9, 192.0.78.17
St. Petersburg, Russia: 192.0.78.9, 192.0.78.17
Beijing, China: 192.0.78.9, 192.0.78.17
Mumbai, India: 203.90.66.98

Some sites will even mix and match those types of responses.

IPv6 throws a wrench into this, as does HTTP redirection.

Probably the thing to start with when considering which answer is best for you: what are you trying to accomplish with this information?