What does it mean when an IP wont resolve?

When you click to resolves someones IP what exactly does this mean? I tend to find IP's that dont resolve to be potential spammers, but when checking we tend to have a few genuine daily members whos dont resolves at all.

Hmmm...

 

I'm certainly interested in the answer.

 

Most of the time, I find them to be spiders. When they won't resolve, I google the ip address, and 9 times out of 10, that's what they are.

 

Simply put, IP addresses don't have to resolve to anything. Domain names, URIs, addresses are there for human benefit. The computers don't need them at all. Some IP addresses aren't even routable over the Internet (10/8, 127/8, some portions of the 172 and 198 blocks). Some companies like IBM, Apple and HP own their own blocks of IP addresses to use as they wish. Other issues could be the Reverse DNS entry doesn't exist or the server timed out on the request.

You can look at the IANA (Internet Assigned Numbers Authority) to see which agency they issued the IP address to.
IANA IPv4 Address Space Registry

From there you can go to the agency and see who the IP was issued to within that region.

Any IP address starting with following are guaranteed to be spoofed. These are for private networks and special purposes:

• Begins with 10. (i.e. 10.0.0.0 through 10.255.255.255)
• Begins with 127. (i.e. 127.0.0.0 through 127.255.255.255)
• Begins with 169.254.
• Begins with 172.16. through 172.31.
• Begins with 192.168.

IP Addresses that don't resolve can be other computers or bots of whatever kind including spiders for search engines or other harmless data collection.

 

Thanks for that Wayne It is good to hear it is perfectly normal!

 

0.*, 1.*, and 224.*-255.* are also not appropriate.

Resolving IPs is done through reverse DNS. Not every IP address is going to have an entry, however, and it's only really useful to check for spammer domains. If you want to track a user, check ARIN/RIPE/APNIC etc. and do a traceroute on their name. I also do a proxy check on registration.

 

May unresolvable IPs also be a sign of the use of proxy? That is not to say that this is commonly the case; I only wonder if proxy is connected to unresolvable IPs. I remember that, for two of my members, the overwhelming majority of their IPs were unresolvable, but the few that were indicated that the two accounts were by the same person (i.e., one account was a sock puppet); that is what prompted me to ask.

 

Unresolvable IDs can belong to a proxy server.

 

Thank you. I suspected this, as all the IPs that were unresolvable started with the same few numbers for either account.

 

They can, but not always. I generally do a quick port check on registration instead.

 

Some internet service providers will take your computer/firewall name, the ip address that your computer/firewall has, and give it to the DNS server. That way the ip address can be resolved to a real computer name.

Some internet service providers do not bother with it.

In other words, when the ip address will not resolve, dont worry about it.

 

If the ISP doesn't bother with it, it's time to move to another ISP. This isn't something that should be ignored by any means, ESPECIALLY if you're looking to send mail.

What the OP is referring to is Reverse DNS, which for an ISP based ip address is critical. With every provider and their brother blocking mail initiating from IP addresses that don't have proper RDNS setup, it's imperative that the provider gets this issue fixed.

As well, having no RDNS (or mismatched RDNS) can be a security issue. Not as much on web applications, but for system services such as ssh/cpanel/email, all entries that can't match RDNS, or have none should be blocked

 

Only the mail server needs RDNS entries. The computers connecting to it to send mail do not. Mail tracking doesn't originate from your local workstation, which is the IP address that is sent when making requests over HTTP. It originates from the mail server after you make a connection to it. If you're running your own mail server than RDNS would be important.

There is no need for an ISP to RDNS an IP address back to the computer that it originates from. My IP Address serves the four computers, three Nintendo DSes, a Wii and several other devices to get on the Internet. Even though I have a static IP address, it has changed 4 times in the last three years as Time Warner receives and allocates more addresses on the network.

 

Actually, mail headers have, for quite some time been able to track the original sender's ip, and can take action based on that.

 

??????

Do you even realize what your posting? Your computer/firewall ip address does not need to be resolved.

The only things that need to be resolved are websites, mail servers, news servers,,,, not personal computers.

There is no reason for my networks ip address to be resolved to the name of my firewall.

 

"Mail headers" do not take action.

Legitimate mail servers have matching DNS and rDNS entries, such that the rDNS address for a mailserver's IP matches one of the IPs referenced in its domain name's DNS entry.

I have noticed that Google pays a bit more attention to websites with forward-confirmed reverse DNS entries, however.

 

Of course headers don't take action, servers take the action based upon the information in them. If you don't think that's true, ask anyone caught in an RBL because the person using the ip address BEFORE them spammed like mad. Even IF you're using your ISP's mailservers, you will still get caught there.

Actions are taken based on both the sending ip address and the mailserver's ip address. I've been doing this for years, I know very, very well how this game is played.

 

How did this thread go from "why some IP addresses do not resolve" to email spam?

 

Awesome post wayne, nicely explained!