[ale] Discover Virtual Hosts

Greg Sabino Mullane greg at turnstep.com
Sat Jan 26 09:39:58 EST 2002



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I was wondering if there is any way to find out what virtual hosts 
> (I think that is the right term) that a given domain has. 

It is sort of the right term. :) What you really want are the 
domains of a certain host, but this is closely related to the virtual 
host. A "virtual host" usually refers to a webserver (e.g. Apache) 
hosting more than one domain on a single IP address. This is set 
up in the webserver's comfiguration file, and the only way to really 
tell which virtual hosts it has set up is to look at that file. Which 
means you'll probably have to have an account on that machine. With 
the proper priviledges.

However...

Setting up a virtual host on a box is not much use unless people can 
get to it, and that is where DNS comes in. If I already own "tinlc.com" 
and want to create a new domain called "go.tinlc.com", the first thing I 
need to do is to create a new entry in my httpd.conf file and restart 
apache. Now apache knows what to do when it receives an incoming request 
for the domain "go.tinlc.com." Then I need to add an entry into my nameserver 
for "go.tinlc.com" telling it to point to my IP address. Thus, when someone 
out on the net points their browser at the new domain "go.tinlc.com", their 
computer looks up the nameserver for "tinlc.com", queries that nameserver 
for "go.tinlc.com", and gets back the IP I just added in. The browser then 
connects to port 80 of that IP address, and sends a "Host: go.tinlc.com" 
header as part of their HTTP request. Apache, listening on port 80, picks 
up the Host header and fetches a page for go.tinlc.com. Every domain does not 
necessarily have a web page either: it is perfectly acceptable to have a 
domain that does not answer on port 80, if, for example, it is only use for 
email.

To finally get to your question, no, there is not an easy way to find 
all the virtual hosts (or sub-domains) for a certain host without trying 
them all out. If they are running BIND, you may be able to do a zone 
transfer and suck in all their DNS information, but that is usually 
considered rude and/or restricted to certain IPs. Most nameservers will 
only release domain information on the specific domains you ask for, so 
my final answer is "trial and error." :)

Hope that helps,
Greg Sabino Mullane  greg at turnstep.com
PGP Key: 0x14964AC8 200201260930

P.S. I may be wrong about some of the BIND details. It's old, bloated, 
insecure, and buggy, so I use djbdns instead. :)

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE8Ur9cvJuQZxSWSsgRAiqaAJ4iI/yaIC3+a1zi9CVGytGTyrnESgCeMAxa
Y6VaCKAVTlYe4aHuciNEhhg=
=jCm8
-----END PGP SIGNATURE-----



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list