Home page logo

nmap-dev logo Nmap Development mailing list archives

From: John Bond <john.r.bond () gmail com>
Date: Sat, 26 Feb 2011 13:34:58 +0100

On 26 February 2011 10:49, David Fifield <david () bamsoftware com> wrote:
I think you're right about this. (Except that ldns-walk is using
$lasthostname0, not \001$lasthostname.) Section 6.1 of RFC 4034 says
that 0.example.com precedes example0.com. And you're right that your
method is finding the subdomains. This is clever and useful behavior.

As I learned while studying your script, we need the "append 0" behavior
sometimes too, namely when a complete subzone has been enumerated,
because the final NSEC record will point back to the first name in the
subzone. Then we append a zero to continue on in the parent zone. In my
changes to your script I took advantage of this and displayed subzones
with greater indentation.
This is actually something slightly different.  this occurs when we
have a delegated zone hosted on the same server.  i.e. we have
example.com which has a delegation for test.example.com however both
zones are on the dns same server.  when you step into test.example.com
you actually start enumerating a new zone so you need to know when you
have finished that zone and when to step back out.  We use the fact
that an A request for a delegated domain returns a no error state
instead of nxdomain. We also do the same thing if we step into a
delegated zone that isn't signed.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]