Re: Slow name-resolution of very large target list

[Fyodor <fyodor () insecure org>]

On Thu, May 22, 2008 at 07:16:31AM +0000, Brandon Enright wrote:
> I've tried the scan from another network that has access to many very
> fast local DNS servers and have specified them with --dns-servers but
> that didn't seem to make any noticeable difference.
>
> I tried adjusting these parameters in nmap_dns.cc:
>
> #define CAPACITY_MIN 10
> #define CAPACITY_MAX 200
> #define CAPACITY_UP_STEP 2
>
> but they didn't seem to have any noticeable effect either.

I'm afraid these values are for Nmap's mass _reverse DNS_ subsystem.
It is extremely common that Nmap needs to do massive rDNS because
people scan huge networks (normally specifing the IP range) and Nmap
by default does rDNS for every host which is found to be up.  Yet it
is rare that Nmap has to do a lot of forward resolution.  When people
specify DNS names, they usually only specify a small number.

Due to this, Nmap only has a subsystem for parallel rDNS.  For forward
DNS, Nmap just uses gethostbyname() in TargetGroup.cc.  I'm not sure
if changing that is worthwhile, since it may cause more annoyance for
people than it helps.  There are some advantages to gethostbyname(),
since you are resolving in the same way as other applications in the
system.  So various custom configurations are well supported, and we
don't have to maintain or debug any of it.  Also, Nmap goes through
target specifiers one at a time.  To do parallel forward DNS, Nmap
would have to go through them all up front to figure out which ones
were hostnames and resolve them in batches.

So you may be best off using a mass DNS tool of some sort and passing
those results to Nmap.  Or maybe you can configure your DNS system to
time out queries more quickly?

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org