Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Fwd: RE: Nmap reverse DNS module

Fwd: RE: Nmap reverse DNS module

From: <doug_at_hcsw.org>
Date: Wed, 18 Oct 2006 11:43:22 -0700

Subject: RE: Nmap reverse DNS module
To: doug_at_hcsw.org
From: XXX
X-OriginalArrivalTime: 18 Oct 2006 01:59:55.0886 (UTC) FILETIME=[1BC9D0E0:01C6F259]
X-MIME-Autoconverted: from quoted-printable to 8bit by hcsw.org id k9I246C5025097

Thanks for the reply Doug, it sure helps. You're more than welcome to
post this to the nmap-dev list, I'd just ask you remove my name and
email address from the thread. Thanks!

-XXX

-----Original Message-----
From: doug_at_hcsw.org [mailto:doug_at_hcsw.org]
Sent: Tuesday, October 17, 2006 5:42 PM
To: XXX
Cc: fyodor_at_insecure.org
Subject: Re: Nmap reverse DNS module

Hi XXX,

On Tue, Oct 17, 2006 at 04:00:33PM -0700 or thereabouts, XXX wrote:
> I'm trying to use the --dns_servers switch in NMAP to map a hostname to
> an FQDN. For example hostname "test" returns the FQDN test.foo.com. I
> want to provide a specific list of DNS servers for NMAP to query. My
> first question is do I have the correct usage

> Nmap -sP test -dns_servers 1.1.1.1, 2.2.2.2, 3.3.3.3

Not quite. Here are a few issues with this command:

o DNS servers need to be separated by only , and not spaces so Nmap reads
  the server list as a single argument.

o Using -sP (ping scan) is probably unnecessary since you're only qualifying
  domain names. In fact, Nmap will not run the reverse dns resolver against
  hosts that are determined to be down (but see -R). You might have better
  luck with -sL.

o Current Nmap best-practice says to use - instead of _ in long options.

So here is the command I suggest:

nmap -sL test --dns-servers 1.1.1.1,2.2.2.2,3.3.3.3

Also notice that you can use domain names instead of IP addresses for
the DNS servers if that makes your life easier.

> and secondly, will NMAP
> query the ENTIRE list of DNS servers if it fails to resolve using the
> first couple of servers?

Very good question! Generally Nmap will try up to 3 DNS servers for
a reverse query though this can be changed in nmap_dns.cc so:

// Each request will try to resolve on at most this many servers:
#define SERVERS_TO_TRY 3

Notice that if we receive an NXDOMAIN from one of the servers this counts
as a successful lookup (there is no such name) and Nmap will not retry
on any of the other servers - even though one of them might have records
for the domain.

> Thank you for your time and contributing to a wonderful and essential
> utility.
>
> -XXX

Thank you for your interest in Nmap! Do you mind if I forward this
response to the nmap-dev list so this can be documented for the future
event that someone has a similar question?

Best,

Doug

----- End forwarded message -----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 18 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]