I'm interested in identifying all the hostnames belonging to someone and I wanted to ask this community for their recommendations on how to best do it. I understanding that, in many cases, it's not possible to generate a comprehensive list of hostnames. However, I'm still interested in what you all think is the best way of going about doing it.
My thoughts are:
1) collect all publicly available hostnames (crawl the web, parse public proxy logs) - arent all search engines already doing this? is anyone making this list public?
2) perform whois lookups on each hostname to determine owner (I realize that whois records are unreliable and can be hidden but it's the only thing I could think of)
What do the experts think?