1

ok. first post after years of lurking. and even the title was a challenge in itself...

Prerequisite:

  • Company A is providing services via a CDN like Cloudflare, Akamai, CloudFront, ...

Situation:

  • (My) Client A is requesting information
  • (My) DNS server (dnsmasq) sees the query and resolves an address that points to the CDN
  • Client A is happily accessing CDN via https. Everything works.

My Challenge:

I would like to find out from what company my client is accessing a service from. (Company A in this example). Right now, the only nugget of information I have is the dns query and answer, ex:

query[A] e4478.a.akamaiedge.net from [IP_of_Client_A]
query[A] e673.dsce9.akamaiedge.net from [IP_of_Client_A]
query[A] e6858.dsce9.akamaiedge.net from [IP_of_Client_A]

What have I tried:

Apart from nslookup, dig (which I am not a hero of), nmap, netstat and a little tcpdump I've read every article on Superuser.com with "Akamai" in it and "researched" (duckduckgo'ed) a lot. Either my search parameters are wrong or this is a very basic question, alas no answers were found.

Almost There:

While doing that I came across robtex.com, where it is possible to enter the address ex. "e4478.a.akamaiedge.net" and it gives back all sorts of information.
Under the heading "Using as a CNAME" it resolves "e4478.a.akamaiedge.net" to "www.icloud.com.edgekey.net".
Now this helps me a long way! This is what I would love to get with a (combination of) un*xy shell commands, if at all possible.

Not every address is resolved to only one CNAME.
Ex. "e6858.dsce9.akamaiedge.net" is resolved to a list of "com-instantwinner.club, www.pboy.com, www.apple.com.edgekey.net.globalredir.akadns.net" but that is okay. At least I can narrow it down (if it isn't outright obvious like in this case).

I also came across this link Determining the service that is using *.CloudFront.net which looked promising, but basically says, there is no way to find out that information. Somehow Robtex does it, and I don't give up hope that there is a way to do so for me too.

Any advice?

Improve this question
8
  • I think your downvotes are coming from the title. I have too many pending edits, or I would fix it, but I suggest "How to find what hostname a TLS client is connecting to".
    – Dessa Simpson
    Commented May 30, 2018 at 17:48
  • But there is no way to find the IP without the site specifically telling you.
    – Dessa Simpson
    Commented May 30, 2018 at 17:49
  • Thanks Duncan X Simpson. If I find out how I could change the title, I'll do that!
    – Wolf
    Commented May 30, 2018 at 18:07
  • To change the title, hit the edit button below the tags on your question.
    – Dessa Simpson
    Commented May 30, 2018 at 18:14
  • done. everything takes longer the first time round. :)
    – Wolf
    Commented May 30, 2018 at 18:16

2 Answers 2

Reset to default
0

Wireshark would be perfect for this. But first, the obligatory warning:

GET PERMISSION!

If you wiretap a network without consent of everybody using it (cough cough EULA cough), you are breaking federal wiretapping laws.

As the other answer mentioned, SNI is the way to go. First capture some traffic. It MUST include the client hello, which it will if you captured from the beginning of the connection. Next go find said client hello packet. Within that packet, inspect the SSL dissector and you will find the server name. Here's where that is visually:

Wireshark illustration

Improve this answer
3
  • Thanks. Since I am just observing traffic between my local client and my local DNS server, I hope I'm safe from any prosecution.. ;)
    – Wolf
    Commented May 30, 2018 at 18:09
  • The solution you are proposing suggests that this is a https connection. I am not sure about that. It is some service on the client (in this case, a macOS iCloud-related one) that is fired up whenever the client starts. Capturing traffic would mean mirroring a switchport on another machine. Quite complex (for a n0ob like me). I hoped that there was a combination of nslookup-traceroute-dig-whatever command string that I could drop addresses like "e6858.dsce9.akamaiedge.net" into and which spit out a list of related CNAMEs.
    – Wolf
    Commented May 30, 2018 at 18:12
  • @Wolf 1. It's most likely HTTPS. 2. Even if it's not, it likely still uses SNI. 3. Capturing traffic doesn't require that. If you can run Wireshark/etc. on the client itself then that's all that's necessary. Otherwise, you may need to use ARP poisoning (which shouldn't be too difficult) if you can't get a mirrored port or a router/switch in the path to capture the traffic.
    – Dessa Simpson
    Commented May 30, 2018 at 18:20
0

In many cases, the CDN edge node redirection is done through DNS CNAME tricks like you noted, so the client still thinks it’s going to the original site. When that’s the case, the “Host:” header of the HTTP request will still have the name of the original site. In the case of TLS (HTTPS), the TLS handshake may contain a Server Name Indicator (SNI) that tells you the same thing.

Before you ask: Yes, even TLS often leaks the name of the site you’re going to. Researchers are struggling to find a good way around it that doesn’t break virtual web hosting. Most CDN providers probably need virtual web hosting to work, so they probably use SNI.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .