I'm trying to analyze our web access log to report on which organizations are accessing our website. But for many of the IP addresses in the log, the reverse DNS lookup resolves to CDN domain names managed by companies like Akamai.
For example, the address 184.86.101.211
resolves to a184-86-101-211.deploy.static.akamaitechnologies.com
when I do a reverse DNS lookup. But if I ping sec.gov
, I also get that IP address.
I want to report on the actual organization, in this case sec.gov
, not on the Akamai CDN domain.
Is there a reliable way to trace back from the IP address to source domain? Will it work across CDNs or do I possibly need a different approach for each type of CDN?
Akamai uses a custom HTTP Header True-Client-IP, you will need to extract those IPs to collect the rDNS entries for each, you can pipe the access logs to syslog and have syslog to the rDNS lookup.
Sources: