1. Censys
  2. Censys Search
  3. Resources for Learning Before You Search

Other Articles In This Section

In this article:

Introduction to Virtual Hosts

  • Updated

Big Idea: Hosts are identified by IP address. Virtual hosts are identified by a name + IP address.

vhost options

Hosts are identified in the Censys data set by IP address.

Now, our host data set includes both (unnamed) hosts and virtual hosts.

Collecting Virtual Host Data with Name-Based Scans

Virtual hosts contain services that have responded to a name-based Censys scan. The name of the virtual host is the name used to scan its services.

This name was included in the scan in one of two ways:

  • In the server name indicator (SNI) field during a TLS handshake

  • In the Host header field of an HTTP request

Virtual hosts do not have the top-level information that hosts do (e.g., geographic location, routing data, DNS data, etc.), with the exception of operating system and labels.

Services on Virtual Hosts

Virtual host records present an array of services (that responded in scan to the virtual host’s name) with the same fields as those seen on hosts.

The names of services on virtual hosts are limited compared to those seen on hosts because many protocols do not support name-based differentiation.

Values for services.service_name that can appear on a virtual host:

  • ANYCONNECT

  • HTTP

  • ELASTICSEARCH

  • KUBERNETES

  • PROMETHEUS

  • UNKNOWN

virtual host service names

The Overlap of Hosts & Virtual Hosts

Service data is not necessarily different between an (unnamed) host and a virtual host. A service observed on a particular port may provide the same content when a name is specified and when it is not.

Some services may only be seen when a name is specified, so a virtual host may have whole services that are not present on the underlying (unnamed) host.

The Effect of Virtual Hosts on Search Results

The number of vhosts in the Censys dataset is more than double the number of hosts. Including virtual hosts in your search results can dramatically increase the number of hits.

Due to the volume of virtual host services in the Censys data set and out of respect for the integrity of hosts serving a large number of virtual hosts, name-based services are refreshed at a rate of every 30 days.

Refreshing Virtual Host Data

DNS names known to Censys are re-resolved every 30 days and successful responses result in name-based scans. Virtual hosts age out of the host index after 45 days.

How to Search Virtual Hosts in the Web UI

  1. Click the Search settings icon (gear) in the search bar of the web UI.

  2. For the Virtual hosts setting, select "Include" to include virtual hosts in your search results. Select "Only" to restrict your search results to just virtual hosts.

  3. Write a query in the Censys Search Language that asks a question about virtual hosts.

  4. Click Search.

How to Search Virtual Hosts in the API

  1. Use the new virtual_host query parameter to include, exclude, or only search virtual hosts.

    If not provided, the results list defaults to (unnamed) hosts only.

Example Search for Host and Vhosts Running an HTTP Service:

GET https://search.censys.io/api/v2/hosts/search?q=service.service_name%3A%20HTTP&per_page=1&virtual_hosts=include

How to Search Virtual Hosts in BigQuery

Upgrade to the Censys Premium tier for access to the industry’s only virtual host data set.

Questions? Reach out to support@censys.io.

Related articles

Comments

0 comments

Please sign in to leave a comment.