I see a lot of comments about which is better to start searching for sites that you own – by DNS or IP addresses. Honestly, it’s a complicated question that deserves a nuanced explanation. The answer is just not that simple, as both searches have their pros and cons.
Once upon a time IP really really mattered. If you wanted to do anything at all on the Internet you had to have a static IP address. Then slowly people started moving to virtual hosts, then RFC1918, then dynamic IP addresses, then multicast/anycast, then round-robin DNS, then wildcard DNS, then caching proxies, then CDNs, cloud providers, etc. With each innovation, it seemed that the IP address of yore was getting slowly degraded. That is not to say that the IP address isn’t important, but rather, it has lost a lot of its former utility. No longer is it one IP address to one DNS. Now it’s a many to many relationship.
Network engineers have long been howling that IPv6 was supposed to solve all this madness. You were supposed to have one IP to DNS pairing, and nothing was supposed to be hidden behind network address translation. But while IPv6 has been growing, it by no means stopped the march forward of IP consolidation and DNS. It turns out people like human-readable names, and they don’t like static infrastructure. As things like kubernetes become the norm for companies, even small websites are starting to suffer from not having a real sense of stability from an IP perspective. Everything is supposed to be cached on the edge and portable. So IP has slowly diminished in its utility.
As I was cutting my teeth I realized that most of the existing tools to do network recon were based on IP address, because IPs are stable and “easy” to work within the sense that they are numeric. But people don’t think like that, only network people like that. So the marketing team goes off and builds things outside of the network. Or some dev. wants to run a test in a cloud-based environment. Suddenly the concept of contiguous IP space is irrelevant, or at least flawed.
One could argue what points to our IP space is ours, but even that isn’t true. I could point any DNS entry at any IP I wanted. Also, a lot of time PTR records are not owned by the company, but by their ISP.
And don’t get me started about MX, SOA, and NS records – all of which are typically owned by registrars or companies that handle mail. The number of times I’ve seen network admins claim that they “own” Godaddy’s or Gmail’s IP space would be laughable if it weren’t so sad.
Most importantly, if I only think about an IP centric world I miss out on things that are hidden by virtue of needing a Host header to access. So while the port might be open, there is no way to “see” the content without knowing what is pointing to that IP address and sending the correct Host header. To me, that means that we now live in a DNS centric world, not an IP centric world. Yes, IP is super useful, and being able to query it has utility (especially in pivoting and forensics) but for 90% of discovery it’s not even able to pierce Akamai or Cloudflare or Incapsula, let alone see what’s running on my servers. Coming from a website scanning background this seems like a complete failure to me.
So while I think we’ll be using IP based search for a while, it’s not the correct path forward when we live in a DNS centric world.