Carles Alcolea asked:
This is one that I’ve never really known how to do, it’s been nagging me from time to time for years. I’ve read all I could find, including all the answers here. None of them gives a real answer to the question. So please read carefully before flagging a duplicate; it is not.
dig, host, nslookup… none of them seems to be able to get what I’m after.
At most I can get pointers like ec2-xxx-xxx-xxx-xxx.us-east-2.compute.amazonaws.com.
But if I use this online tool, I get exactly what I’m looking for: every domain that resolves to the IP given (or a hostname). In this case, it’s a freemium service so it’ll only list the first few, but it works. In the following image, I use 3 domains that I own and serve from a VPS. They are totally unrelated, but they all appear here:
What black magic are they using? How can we replicate it?
It’s brute force.
They have looked up the IP addresses of every domain name they can find, and then compiled the results into their own database.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.