How IP Tracking Works

DNS Fundamentals: The Internet's Address Book

The Domain Name System (DNS) is the backbone of how the internet translates human-readable domain names into machine-readable IP addresses. When you visit a website, your browser performs a DNS lookup to find the IP address associated with the domain name. This process involves querying a hierarchy of DNS servers, starting from root servers and working down to authoritative nameservers that hold the actual records.

Two types of DNS records are central to IP tracking:

• A records map a domain name to an IPv4 address (e.g., 93.184.216.34). IPv4 addresses are 32-bit numbers, typically written as four decimal numbers separated by dots.
• AAAA records map a domain name to an IPv6 address (e.g., 2606:2800:220:1:248:1893:25c8:1946). IPv6 addresses are 128-bit numbers that provide a vastly larger address space to accommodate the growing internet.

These records are not static. Website operators regularly change their A and AAAA records when they migrate servers, switch hosting providers, adopt CDN services, or restructure their infrastructure. Each of these changes leaves a trace in passive DNS collection systems.

How Passive DNS Collection Works

Passive DNS (pDNS) is a technique for collecting DNS data by observing DNS query responses as they pass through DNS resolvers and network sensors. Unlike active DNS scanning (where you explicitly query domains), passive DNS captures real-world DNS traffic without generating any additional load on DNS infrastructure.

Here is how the process works:

1. Observation: Sensors positioned at strategic points in the DNS resolution chain observe DNS query-response pairs. These sensors record which domains resolve to which IP addresses at any given time.
2. Collection: The observed DNS responses are collected, deduplicated, and stored in a database. Each entry includes the domain name, the record type (A, AAAA, CNAME, MX, etc.), the resolved value, and timestamps.
3. Aggregation: Data from multiple vantage points is aggregated to build a comprehensive view of DNS resolutions across the internet. This helps capture changes that might only be visible from certain geographic locations or network perspectives.
4. Indexing: The collected data is indexed to enable fast lookups by domain name, IP address, record type, and time range. This indexing is what powers tools like ip-history.net.

The Profundis.io platform, which powers ip-history.net, operates one of the most extensive passive DNS collection networks, capturing billions of DNS observations to build a detailed historical record of the internet's infrastructure.

What IP History Changes Tell Us

Analyzing patterns in a domain's IP history can reveal significant information about its infrastructure and operations. Here are some common patterns and what they indicate:

Hosting Provider Switches

When a domain's IP address moves from one network block to another, it often indicates a hosting provider change. For example, if a domain moves from an IP in the OVH range (e.g., 51.x.x.x) to an IP in the AWS range (e.g., 52.x.x.x), this suggests a migration from traditional hosting to cloud infrastructure. These transitions can be verified by checking the ASN (Autonomous System Number) associated with each IP address.

CDN and DDoS Mitigation Adoption

The adoption of services like Cloudflare, Akamai, or AWS Shield is immediately visible in IP history. When a domain switches from a single IP to Cloudflare's IP ranges (e.g., 104.16.x.x or 172.67.x.x), it indicates the deployment of CDN and DDoS protection services. Similarly, a sudden change away from known CDN ranges might indicate the removal of such protection.

Geographic Infrastructure Changes

IP addresses are allocated in blocks that correspond to specific geographic regions and network operators. By enriching IP history data with GeoIP information, we can track how a domain's hosting has moved geographically over time. A domain that moves from US-based IPs to European IPs might be responding to data residency requirements or expanding its global presence.

Security-Related Changes

Rapid or unexpected IP changes can signal security events. A domain that suddenly changes its IP address multiple times in a short period may be under attack, or the operators may be rotating infrastructure to mitigate ongoing threats. Conversely, a domain that is used for malicious purposes may change IPs frequently to evade blocking and takedown efforts — a technique known as fast-flux DNS.

GeoIP Enrichment and ASN Data

Raw IP addresses become far more valuable when enriched with additional context. IP history tools like ip-history.net enhance results with:

• GeoIP location data: Using databases like MaxMind's GeoLite2, each IP address is mapped to a geographic location (country, city, coordinates). This reveals where a domain's servers have been physically located over time.
• ASN (Autonomous System Number) information: Every IP address belongs to an Autonomous System operated by a specific organization (e.g., Amazon, Cloudflare, Google). ASN data reveals which network operator controls each IP in the domain's history, making it easy to identify hosting providers and CDN services.
• CIDR block information: The network block (CIDR notation) that an IP belongs to can indicate the scale of the hosting operation and help group related IPs together.

Real-World Examples of Infrastructure Changes

Looking at the IP history of well-known domains reveals interesting patterns:

• google.com — Shows Google's massive, globally distributed infrastructure with IPs across multiple continents and data centers, reflecting their own backbone network.
• github.com — Reveals the transition from independent hosting to Microsoft's Azure infrastructure after the acquisition, as well as the adoption of Fastly CDN for content delivery.
• cloudflare.com — Naturally shows Cloudflare's own IP ranges, demonstrating how they use their own product for their primary domain.
• amazon.com — Illustrates the evolution of one of the largest web properties, including their use of their own AWS infrastructure.

You can explore the IP history of any domain using the search on our home page.

Get Comprehensive DNS Intelligence

While ip-history.net provides free IP history lookups, professional users who need deeper analysis, bulk access, and API integration should explore Profundis.io. The platform offers complete historical DNS records (not just A and AAAA), advanced filtering, export capabilities, and integration options for security teams and researchers.

Related Resources

• What is IP History? — Learn about IP history and its use cases
• About IP History — About this tool and how to use it
• ReverseIPs.com — Find all domains hosted on a specific IP address
• DNSTimeline.com — Visualize DNS record changes over time
• InternetLiveView.com — Real-time internet statistics and live data
• Profundis.io — Full DNS, Host, Certificate, and Whois intelligence platform