Skip to content
  • There are no suggestions because the search field is empty.

How are hostnames and IP addresses determined in network scans?

During a network scan, Holm Security automatically detects the hostname and IP address of each scanned asset. Since networks have different configurations and access levels, the scanner uses multiple detection methods in priority order to find the most reliable information.

Detection methods

The scanner attempts to identify hostnames and IP addresses using the following methods, listed in priority order from highest to lowest:

1. Kubernetes services

When scanning Kubernetes clusters, the scanner associates IP addresses with service names from the cluster context.

  • Service DNS names are treated as authoritative hostnames for assets within the cluster
  • Corresponding IP addresses are also recorded for network mapping

2. Custom hostname and IP overrides

Custom overrides provided through configuration scripts are given the highest priority among manual configurations, as they represent explicit user input.

  • NetBIOS desktop names
  • Computer names
  • Static IP addresses

3. DNS resolution

The scanner queries DNS records to detect hostnames and IP addresses. This is the most common detection method for servers and network appliances.

  • Forward DNS: If you specify the scan target as a hostname (for example, server01.example.com), the scanner resolves it to an IP address
  • Reverse DNS (PTR lookup): If you scan by IP address, the scanner attempts to resolve the hostname via the reverse DNS record

4. Windows Management Instrumentation (WMI) / Active Directory

When WMI or Active Directory credentials are provided during the scan, the scanner retrieves hostnames and IP addresses directly from the operating system or directory service. This information is considered authoritative.

5. SMB / NetBIOS

If SMB/NetBIOS ports (139 or 445) are reachable on the target, the scanner queries the host for its Windows machine name and confirms the IP addresses. This method is often most accurate for Windows workstations and servers.

6. SSL/TLS certificates

If a host exposes encrypted services (HTTPS, SMTPS, LDAPS), the scanner extracts hostnames from the security certificate. This method is especially useful for appliances, web servers, and load balancers.

  • Common Name (CN): Primary hostname identifier in the certificate
  • Subject Alternative Names (SAN): Additional hostnames covered by the certificate

How the scanner selects results

The scanner uses multiple detection methods to ensure that hostnames and IP addresses are discovered even in complex or restricted network environments. When multiple methods detect different hostnames or IP addresses for the same asset, the scanner prioritizes results from the methods listed above, starting with Kubernetes services and ending with SSL/TLS certificates.

Note: The use of authenticated scans with WMI or Active Directory credentials significantly improves detection accuracy, as this method retrieves information directly from the operating system rather than relying on network protocols or DNS records.

Why multiple detection methods matter

Network environments vary widely. Some assets may only expose certain services, some may not have DNS records, and some may have restricted access permissions. By using multiple detection methods in priority order, Holm Security can identify hostnames and IP addresses across diverse network configurations, from traditional data centers to cloud-native Kubernetes deployments.