Note, all of these examples have been done on a Mac using the Terminal.app. The should also work fine on an other UNIX distribution. If you’re still using windows they you are out of luck. Some of the basic networking commands are not supported by Windows’ cmd.
The first step is to resolve the host name from cia.gov to an IP address. For this we use the host command. Simply type the command followed by the domain name you want to resolve. Also note that www.cia.gov and cia.gov are not necessarily the same thing. The www version does not have a mail server because people typically do not send email there.
$ host cia.gov
cia.gov has address 18.104.22.168
cia.gov mail is handled by 10 mail1.ucia.gov.
$ host www.cia.gov
www.cia.gov has address 22.214.171.124
Now that we know the IP address of this server we can look up its ownership. For that we use the whois command followed by the IP address we want to research.
$ whois 126.96.36.199
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1)
188.8.131.52 – 184.108.40.206
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1)
220.127.116.11 – 18.104.22.168
In this example the result is simple and immediate. The range of IP addresses 22.214.171.124 – 126.96.36.199 is owned by ANS Communications, Inc.. A portion of this range 188.8.131.52 – 184.108.40.206 has been delegated to the CIA.
Let’s try another example that’s a little more difficult. I can open up most any spam message and find the IP address of a server that has been compromised. The fist one I find is 61•129•51•17. The whois command on this IP does not give us a nice pretty answer. It instead gives us the name of a server that does have this information.
$ whois 220.127.116.11
OrgName: Asia Pacific Network Information Centre
Address: PO Box 2131
NetRange: 18.104.22.168 – 22.214.171.124
So now we know that the IP address we see if somewhere in the Asia Pacific region of the world. The Asia Pacific Network Information Centre (APNIC) manages the entire 61.x.x.x range out of Australia. So you know that if you see any IP address if is is going to be somewhere in Asia. In order to find out more, we need to ask APNIC for their customer information. Fortunately, APNIC has graciously told us the name of their whois server: whois.apnic.net. (Notice that this is a .NET top-level domain name. The .NET used to mean something special to identify network providers.) No now all we need to do is repeat the whois command using APNIC as the authority instead of whois.arin.net. The way you do this is by adding the -h parameter followed by the name of the authoritative server. The whole command looks like this…
$ whois -h whois.apnic.net 61•129•51•17
inetnum: 126.96.36.199 – 188.8.131.52
descr: Data Communication Division
descr: China Telecom
So now we know that this IP is owned by China Telecom. They own the entire range 184.108.40.206 – 220.127.116.11. Also provided in the response but omitted above is a phone number and email address of the person responsible for that range of IP addresses. Most network administrators are responsible and want to know if their network is being used for spam or worse.