DNS Resolution
The key focus of Nmap host discovery is determining which hosts
are up and responsive on the network. That narrows down the field of
targets, since you can't hack a host which doesn't exist. But don't
let discovery end there. You wouldn't date girls (or guys) just
because they're breathing, and selecting boxes on the network to
penetrate deserves special care
too.
A great source of information
(about networked hosts, not potential dates) is DNS, the domain name
system. Even security conscious organizations often assign names
which disclose the function of their systems. It's not uncommon to
see wireless access points named wap
or
wireless
, firewalls named fw
,
firewall
, or fw-1
, and
development web servers with not-yet-published content named
dev
, staging
,
www-int
, or beta
. Locations or
department names are also often disclosed, as in the company whose
Chicago office firewall is named fw.chi
.
By default, Nmap performs
reverse-DNS
resolution for every IP
which responds to host discovery probes (i.e. those that are online).
If host discovery is skipped with -Pn
, resolution is
performed for all IPs. Rather than use the slow standard DNS
resolution libraries, Nmap uses a custom stub resolver which
performs dozens of requests in parallel.
While the defaults generally work well, Nmap offers four options for controlling DNS resolution. They can substantially affect scanning speed and the amount of information gathered.
-
-n
(No DNS resolution) Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option reduces scanning times.
-
-R
(DNS resolution for all targets) Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.
-
--system-dns
(Use system DNS resolver) By default, Nmap resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are performed in parallel to improve performance. Specify this option to use your system resolver instead (one IP at a time via the
getnameinfo
call). This is slow and rarely useful unless you find a bug in the Nmap parallel resolver (please let us know if you do). The system resolver is always used for IPv6 scans.-
--dns-servers
(Servers to use for reverse DNS queries)<server1>
[,<server2>
[,...]] By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (Unix) or the Registry (Win32). Alternatively, you may use this option to specify alternate servers. This option is not honored if you are using
--system-dns
or an IPv6 scan. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.This option also comes in handy when scanning private networks. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are. You can scan the network for port 53 (perhaps with version detection), then try Nmap list scans (
-sL
) specifying each name server one at a time with--dns-servers
until you find one which works.