(This is a pruned version of the full document)
Each machine connected to an IP network (such as the Internet) is addressed using a unique 32 bit number, the IP address.
Many machines will have more than one IP address - for example a machine running virtual websites will have an IP address for each website they host.
Other times a pool of IP addresses is shared between a number of machines - eg on a dynamic-IP dialup connection your machine will be allocated a different IP address each time you connect.
These addresses are usually written in Dotted Quad notation, as a series of four 8 bit numbers, written in decimal and separated by periods. For example 151.196.75.10
Each number is in the range 0 to 255 - so if you ever see something that looks like an IP address with numbers outside those ranges it's not a real address.
The leftmost number is the most significant, and the rightmost the least.
So 151.196.75.10 and 151.196.75.11 are right next-door to each other whilst 151.196.75.10 and 152.196.75.10 are completely unrelated.
Traditionally IP addresses were allocated to companies and ISPs in blocks.
A Class A Address Block or, less formally, an A Block is a block of 16,000,000 or so (2^24) addresses from X.0.0.0 to X.255.255.255, where 0 < X < 127.
So the entire 9.0.0.0 - 9.255.255.255 range of addresses is the A Block owned by IBM.
A B Block is a block of 65,000 or so (2^16) addresses from X.Y.0.0 to X.Y.255.255, where 127 < X < 192 and 0 <= Y < 256
A C Block is a block of 256 addresses from X.Y.Z.0 to X.Y.Z.255 where 191 < X < 224, 0 <= Y,Z <256
(There are also D and E class addresses allocated in the 224-255 range - these are reserved for multicast and experimental applications - you'll never see them in practice)
Traditional blocks are often described using the first address in the block, eg IBM own A Block 9.0.0.0 and Cyberpromo own C Block 205.199.2.0. Other times they may be described using just the constant prefix, eg net 9 for IBM or net 205.199.2 for CyberPromo
[You'll often hear any address range from X.Y.Z.0 to X.Y.Z.255 called a C Block, even though it technically isn't unless 191 < X < 224]
Recently things have changed. IP addresses are in short supply and routers have become more sophisticated, so it's now usual to allocate blocks of addresses on pretty much any bit boundary. You'll often see blocks of 64 addresses for instance, such as 151.196.75.128 to 151.196.75.191
A common way of naming these blocks is CIDR syntax, this is the initial constant prefix and the length in bits.
So 151.196.75.0 to 151.196.75.255 might be described as 151.196.75/24
and 151.196.75.128 to 151.196.75.191 might be described as 151.196.75.128/26
To find out who administers a block of addresses you can use theIP Block tool to query the internic database. This is sometimes wildly out of date, but can be a good start.
There are some special ranges of addresses reserved for special uses.
The 127.*.*.* block is reserved for local loopback - so these addresses will always point back to your own machine.
The canonical loopback address is 127.0.0.1
Some blocks of addresses are allocated for private networks - packets from these machines should be dropped by most routers. Why is this useful? If you want to setup a private network you don't need to use up any of the scarce allocation of 'real' IP addresses. So you need to make up your own addressing scheme to use internally.
As long as you're not connected to the internet in any way you could use any scheme you wanted. But what if you have a gateway machine that lets you e.g. send mail to and from the internet? If you chose an arbitrary IP address range for your local network and the packets leaked through the gateway onto the internet they'd end up going to the Real owner of those addresses, probably fubaring their system and provkoking stern 'phone calls.
This has happened, even within huge multinational corporations who didn't follow the rules and chose arbitrary addresses for their internal network.
So there are ranges of addresses allocated as private addresses. You can use these quite safely, as everyone's routers are told to just throw packets to or from these addresses away. So if your packets escape they'll be deleted.
These private address blocks are:
If you see one of these addresses in a received line it means the email has been forwarded around an internal network before being gatewayed to the internet proper.
So far, so froody.
There are some IP addresses in each block reserved for broadcast and other obscure stuff. Check the RFCs if you're really interested.
Incidentally, if you want to send email to a machine and you know the machines IP address you can send it to user@[w.x.y.z]
So, just for the sake of example, if you were to put this HTML tag:
<A href="mailto:postmaster@[127.0.0.1]"></a>
in a web page, and someone were to scan your webpage for email addresses and then try to send spam to them they'd end up sending a copy to postmaster at the machine 127.0.0.1. As we said earlier 127.0.0.1 is always your own machine, so this would make the spammer spam their own system administrator....
IP addresses work pretty well, but they're not as memorable as machine names. So we need some way to map names to addresses (and ideally back again).
DNS is a distributed system. The end user doesn't really care about this, but in case you're interested here's how it works.
You try and access http://www.blighty.com. Netscape wakes up and asks Windows what IP address www.blighty.com maps to.
Windows then sends a request to your local nameserver, usually the nameserver of your ISP. If someone else has looked up the address recently the nameserver might already know the answer. If not it realizes that it doesn't know, and works out who might know.
Your ISPs nameserver then contacts that nameserver - if it knows it answers. If not, it works out who might know.... you get the idea.
Finally the result gets forwarded back to your local nameserver, which caches the result so it can use it again later and passes the answer back to your system - 151.196.75.10.
[In reality it's a bit more formal than that, with 'zones of authority' rather than guesswork to find out who might know the answer]
If you want to query your DNS server directly you can use the DNS tool
Finding the hostname given the IP address is very useful. If you're tracing spam you need the domainname to be able to find whois information.
Sometimes you can just use the DNS tool on an IP address, and it'll give you the hostname. Sometimes it won't be able to find a hostname
Just because a host has forward DNS from name to address there's no guarantee or requirement for it to have reverse DNS from address to name. Many sites do, many sites don't.
If there's no reverse DNS you need to resort to guerrilla approaches. If there's a web site that's a good bet. Do a view source to look at the HTML source, particularly for forms and mailto links.
Sometimes telnetting to the machine will give a banner identifying the machine. Or telnetting to other ports on the machine (25, 110, 119) can sometimes give a banner. Then you can use forward DNS to confirm that the address maps back to the right IP.
The port scan tool can scan a range of ports on a machine, to see which are providing services. Then you can telnet to each one in turn to see if any leak information.
What if the site is being coy, and trying to hide their domainname? Most virtual web-hosting companies require customers to have a domain name, but if it's not used anywhere and the website is advertised using it's IP address rather than domain name it's hard to find.
On some virtual web servers accessing http://w.x.y.z/stats or http://w.x.y.z/logs triggers a redirect that can give you the name.
DNS has all sorts of good stuff in it, not just the address-name mappings. You can get at this with the dig tool.
These are some of the things it can tell you:
There are around 40 more, but these are the most common.
You can also ask for a complete Zone Transfer from a nameserver. This contains all the records it has for a given domain. If there's no reverse DNS setup this can be the only way of getting a full list of the machines within a domain. You can only do a zone transfer from the name server that is authoritative for a domain, so you need to query your local nameserver to find an authorative server for a domain before doing a zone transfer