A powershell script for running reverse lookups on many IP addresses at once

I often find myself looking at web logs when researching anomalous traffic on our servers.  It’s not uncommon for a poorly written web scraper to come through the system and generate spurious errors, and I start looking at what IP addresses are generating the most hits to see if I can pinpoint who it is.

One of my first steps is run a reverse lookup on the IP to see if there is a PTR record registered in DNS that might identify them.  For example, Amazon’s EC2 servers have registered PTR records:

> nslookup 184.169.245.120

Name: ec2-184-169-245-120.us-west-1.compute.amazonaws.com
Address: 184.169.245.120

Running nslookup by hand is fine if I need to look up just one or two sites, but sometimes I found myself with a long list of addresses that I want to look up.  I could easily write a script around nslookup, but the output was too verbose (usually 5 or 6 lines per IP address) to easily scan through the results.

I also wanted to take it a step further than just a PTR lookup.  Many IPs have no PTR record, but over time I have accumulated a list of IPs that I have identified and recognize.  For example, I have a long list of Akamai servers that are frequently intermediate nodes for traffic on our Akamai urls.  I also have the IPs of proxy servers for several clients that have large numbers of users sharing a single address.  I wanted to combine the results of my home-grown list with the reverse lookup in easy-to-use command.

I ended up writing a powershell script to do just that.  It takes a list of IPs (or a single IP on a command line), and runs an nslookup.   Rather than spitting many lines of output, it parses the results to extract the part I am interested – the name record.  It then also checks the IP address against my known list of IPs, and then finally outputs it in a tab-delimited, easy-to-read format with one IP per line:

> ip_lookup.ps1 -k knownips.txt -f input_ips.txt
204.236.179.177   ec2-204-236-179-177.us-west-1.compute.amazonaws.com
204.236.188.194   ec2-204-236-188-194.us-west-1.compute.amazonaws.com
204.236.188.206   ec2-204-236-188-206.us-west-1.compute.amazonaws.com
209.170.118.215   NOT FOUND                Akamai
216.246.87.201    unknown.scnet.net        Akamai
50.18.0.118       ec2-50-18-0-118.us-west-1.compute.amazonaws.com

As I run the tool looking at different issues, I learn about new IPs and add them to my known IP list, saving me troubleshooting time in the future.

Here is the powershell script: