Documentation
Start typing to search…

Virtual Hosts

In the Legacy Search dataset, virtual hosts are identified by a name and an IP address.

This animation shows the user selecting the option to include virtual hosts in their search results in the web UI.

Collecting virtual host data with name-based scans

Virtual hosts contain services that respond to a name-based Censys scan. The name of the virtual host is the name used to scan its services.

This name is included in the scan in one of two ways:

  • In the server name indicator (SNI) field during a TLS handshake.
  • In the host header field of an HTTP request.

Virtual hosts do not have the same top-level information that hosts do (for example, geographic location, routing data, DNS data, and so on), with the exception of operating systems and labels.

Services on virtual hosts

Virtual host records include an array of services (that responded in scan to the virtual host’s name) with the same fields as those seen on hosts.

The names of services on virtual hosts are limited compared to those seen on hosts because many protocols do not support name-based differentiation.

Some example values for services.service_name that can appear on a virtual host:

Example ValuesExample Values
ANYCONNECTHTTP
ELASTICSEARCHKUBERNETES
PROMETHEUSUNKNOWN

Overlap of hosts and virtual hosts

Service data is not necessarily different between an unnamed host and a virtual host. A service observed on a particular port may provide the same content when a name is specified and when it is not.

Some services are only seen when a name is specified, so a virtual host can have whole services that are not present on the underlying unnamed host.

Effect of virtual hosts on search results

The number of virtual hosts in the Legacy Search dataset is more than double the number of hosts. Including virtual hosts in your search results can dramatically increase the number of hits.

Due to the volume of virtual host services in the dataset and out of respect for the integrity of hosts serving a large number of virtual hosts, name-based services are refreshed every 30 days.

Refresh virtual host data

DNS names known to Censys are re-resolved every 30 days, and successful responses result in name-based scans. After 45 days, virtual hosts age out of the host index.

Search virtual hosts in the web UI

  1. Click Settings in the search bar.
  2. To specify searching virtual hosts, do one of the following:

    1. To include virtual hosts in your search results, click Include.

    2. To search only virtual hosts, click Only.

  3. Input a query.
  4. Click Search.

Search virtual hosts in the API

Use the virtual_host query parameter to include, exclude, or only search virtual hosts.

If not provided, the results list defaults to unnamed hosts only.

Example API search for host and virtual hosts running an HTTP service

GET https://search.censys.io/api/v2/hosts/search?q=service.service_name%3A%20HTTP&per_page=1&virtual_hosts=include

Updated 20 days ago