A Beginner’s Guide On How To Check And Verify The Authenticity Of Korean Web Server IDs

1.

Preparatory Work and Goal Definition

Step-by-step instructions: First, clarify what exactly the “server ID” you want to verify refers to: Domain names, hostnames, IP addresses, CN/SAN of SSL certificates, or the Server field in SSH host fingerprints or HTTP response headers. Prepare tools: A computer that can run a command line (Linux/macOS preferred, Windows is also acceptable), with dig/nslookup, whois, traceroute/tracert, curl, openssl, ssh, and nmap installed or available for use (optional). Online Alternative Tools: ipinfo.io 、 rdap.org 、 bgp.he.net sslscan/ssllabs, whois.kr, or kisa. Small segments: 1) Define goals 2) Prepare tools 3) Record the data to be verified (domain name/IP/port/certificate screenshots)

2.

Step 1: DNS and Reverse Resolution (verifying the correspondence between hostnames and IPs)

Operation method: Run in Linux/macOS terminal: dig A domain name +short or nslookup domain name ； This will give the resolved IPv4/IPv6 address. Then use dig -x IP or nslookup IP to query the PTR (reverse lookup), to see if the hostname returned by PTR matches the target hostname. Pay attention to the CDN status: If the domain name points to a CDN node, DNS will return the CDN’s IP/hostname instead of the origin server. Small segments: 1) Use dig/nslookup to check the forward lookup. 2) Use dig -x to check the reverse lookup. 3) Compare whether they match and record the TTL and CNAME chain

3.

Step 2: WHOIS / RDAP queries for IP ownership and registration information

Operation method: Run whois IP in the terminal (if the system doesn’t have whois, you can use an online whois service). Pay special attention to inetnum, org, country, remarks, and abuse contact. Most Korean IPs are assigned to KRNIC/KR, or allocated by local operators (KT, SK Broadband, etc.). You can also visit https://whois.kisa.or.kr or the RDAP interface to view more detailed registration information. Small segments: 1) Examples of the whois command: whois 1.234.56.78 2) Locate the org/inetnum/abuse email in the output. 3) Determine whether it is a Korean ISP or an international CDN

4.

Step 3: BGP/AS Inspection and Routing Paths (Troubleshooting Proxies or Hosting)

Operation method: Use online tools bgp.he.net Enter the IP to view its AS number and advertised prefix ； Execute traceroute IP (Linux/macOS) or tracert IP (Windows) in the terminal to observe the routing path, paying attention to the first hop and the reverse domain name (often containing ISP identification). If the path first reaches intermediate layers such as Cloudflare/Alibaba/Google, it indicates that the domain may be using a CDN or reverse proxy. Small segments: 1) Query AS and announcement prefixes 2) Use traceroute to analyze latency and hop count 3) Determine if it’s a direct connection or goes through a third party

5.

Step 4: Check service-layer evidence—HTTP headers, TLS certificates, and SSH fingerprints

Operation method: HTTP headers: Use curl -I https://domain to or curl -s -D - https://domain to view identifiers such as Server, Via, and X-Cache. TLS certificate: openssl s_client -connect domain name:443 -servername domain name | openssl x509 -noout -text to view the certificate’s Subject CN, SAN, issuing authority, and validity period ； Record certificate fingerprint: openssl x509 -in cert.pem -noout -fingerprint. SSH: Run `ssh-keyscan -t rsa domain.com > key.pub`, then use `ssh-keygen -lf key.pub` to get the fingerprint, which can be compared with the fingerprints already known by the system. Small segments: 1) Use curl to view HTTP headers. 2) Use openssl to view the certificate and record its fingerprint. 3) Use ssh-keyscan to obtain the SSH fingerprint and compare it

6.

Step 5: Port scanning and service fingerprinting (optional; ensure legality)

Operation method: Use nmap -sV -p22,80,443,8080 IP to detect open ports and attempt to obtain service version information (only when authorized to scan). Verify consistency by cross-checking the version with the certificate and HTTP headers, for example, whether the certificate’s CN points to abc.example.com However, if the HTTP headers show a different Server or version, it may indicate hosting or spoofing. Small segments: 1) Examples of basic nmap commands 2) Interpreting service versions 3) Cross-referencing with certificate/HTTP information

7.

Step 6: Geographical Location and Physical Authenticity Verification (Interpret with Caution)

Operation method: Use ipinfo.io/IP Or use a geoIP service to check the geographical location ； Note: The geographic database is not absolutely accurate; CDN or cloud provider IPs may be marked as their headquarters or entry point. The approximate physical distance can be determined by combining the traceroute latency (in milliseconds): A ping delay to Korean IPs of several dozen milliseconds to over a hundred milliseconds is usually reasonable. For more authoritative data, you can contact the abuse/contact email listed in the IP’s WHOIS or KISA. Small segments: 1) Use ipinfo/GeoIP tools 2) Check if the latency is reasonable using ping/traceroute 3) Contact the registrar or KISA for verification if necessary

8.

Step 7: Comprehensive Evaluation and Record Proof

Operation method: Summarize the output of the above steps into a verification report: DNS resolution diagrams, WHOIS information screenshots, BGP/AS records, traceroute paths, certificate fingerprint screenshots, SSH fingerprint text, HTTP response header excerpts. Provide a judgment for each item (Match/Suspected/Mismatch). If there is any inconsistency, indicate possible causes (CDN, load balancing, hosting, DNS hijacking, etc.) and suggest the next steps (contact the host or the original domain owner). Small segments: 1) Summarize the evidence 2) Provide a judgment conclusion 3) Offer recommendations for improvement or further investigation

9.

Frequently Asked Questions: How to quickly determine if it’s a real local server in South Korea?

Ask: How to quickly determine whether a target IP is actually located in South Korea? Answer: First, use dig/nslookup to get the IP address, then use whois/rdap to confirm that the country associated with the IP address is KR ； By using traceroute to check the number of routing hops and latency (reaching the first KO domain name or an ISP identified as a South Korean local operator with reasonable latency), and when there are no obvious CDN indicators in the certificate or service response headers, it can generally be assumed that it is located in South Korea. However, geographical database errors and CDN nodes can interfere with the judgment; it is necessary to verify with the WHOIS contact person or KISA when needed.

10.

Frequently Asked Questions: What if the certificate’s CN doesn’t match the DNS?

Ask: When the CN/SAN of a TLS certificate does not match the domain name, how can its authenticity be determined? Answer: First, confirm whether it goes through a reverse proxy or load balancer (which would cause the certificate to point to the upstream domain name), and check if there are HTTP headers such as X-Forwarded-For or Via ； If the certificate is issued by a trusted CA but does not match the expected domain name, it should be considered inconsistent with that domain name. Be cautious and do not enter sensitive information ； Verify the reason with the website administrator or certificate holder, and check for man-in-the-middle risks.

11.

Frequently Asked Questions: How to monitor and record changes in the authenticity of server IDs over the long term?

Ask: Is there a way to automatically monitor changes in server IDs (certificates/SSH fingerprints/IP addresses)? Answer: The certificate fingerprints can be periodically captured using scripts (openssl s_client), SSH fingerprint (ssh-keyscan), WHOIS snapshots, and DNS resolution results, and save them to version control or a database ； Compare historical records; notify administrators via email/alarm if any changes occur. It is recommended to use Cron along with shell/python scripts, in combination with online services such as the SSL Labs API and ipinfo API, for periodic testing, while keeping evidence for traceability.