Nmap Development mailing list archives

Re: -6 and mass_dns and dns.lua

From: jah <jah () zadkiel plus com>
Date: Fri, 31 Oct 2008 01:45:17 +0000

On 30/10/2008 22:44, David Fifield wrote:

On Mon, Oct 20, 2008 at 09:53:31PM +0100, jah wrote:

On 20/10/2008 03:57, David Fifield wrote:

On Tue, Oct 07, 2008 at 04:05:03PM +0100, jah wrote:

Hi folks,

The attached patches nmapOps.cc and nmap_dns.cc:

o.mass_dns is not set to false for IPv6 targets.

system dns resolution is skipped for IPv6 targets when nmap_mass_rdns()
is called with zero num_targets allowing dns servers to be obtained from
the windows registry or /etc/resolv.conf if the dns servers aren't
already known (servs.size() is zero).  After doing this the function
returns immediately and without proceeding to /etc/hosts lookup etc.

--system-dns is respected.

Thanks for your observation, insightful as usual. This is certainly a
problem (may be considered a bug).

I don't like the way this patch solves the problem. There is too much
special casing on o.af() != AF_INET6, when the basic problem of getting
a list of the system's DNS only depends on being able to read
/etc/resolv.conf and /etc/hosts, not on the address family.

I would prefer to see the code that reads o.dns_servers and
/etc/resolv.conf (or the Windows registry) factored out into its own
function. That function, which would be independent of -n and -6, would
be called by nmap_mass_rdns_core and get_dns_servers. How does that
sound? Or if I'm off base and missing something obvious, just tell me.

This sounds like a good approach, but we still need to address the fact
that if -6 is specified, o.mass_dns is set false which makes it
impossible to determine if both -6 and --system-dns were specified.

I'm assuming that if --system-dns is specified, the user intends us not
to talk to any dns servers we might find and so we need to be able to
tell if this was specified.


I think I understand now. We can factor out the code that gets a list of
servers, but we should return an empty list if --system-dns is used.

Does the attached patch work for you? I've tested that continues to use
system DNS for IPv6 lookups, and that get_dns_servers returns a list of
servers even with -6 except when --system-dns is also present. I haven't
tested it with ASN.nse.

The patch builds on a few refactoring commits I made that didn't change
any outward behavior. The main change is moving the decision of whether
to run mass_dns from NmapOps.cc to nmap_dns.cc. As you noted, having -6
control o.mass_dns created a tricky bit of ambiguity.

Hi David,

It only works for -6 when -n is specified because if we've already done
an rdns lookup and we don't have a list of dns servers when
get_dns_servers() is called at script scanning time then this test fails:
    if(servs.size() == 0 && firstrun) {...}

Also, some debugging output is incorrectly selected when -6 scans do
rdns lookups and it prints out info meant for mass_dns resolving rather
than system resolving:
Initiating System DNS resolution of 1 host. at 00:43
Completed System DNS resolution of 1 host. at 00:43, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 0, OK: 0, NX: 0, DR:
0, SF: 0, TR: 0, CN: 0]

I've attached ipv6-dns-list-sup.patch which supplements your patch to
handle these:
# nmap -sT -6 ipv6.google.com -p80 --script asn -d

Scanning 2001:4860:0:1001::68 [1 port]
Initiating System DNS resolution of 1 host. at 01:39
Completed System DNS resolution of 1 host. at 01:39, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: System [OK: 0, ??: 1]
Initiating Connect Scan at 01:39
Scanning 2001:4860:0:1001::68 [1 port]
Discovered open port 80/tcp on 2001:4860:0:1001::68
Completed Connect Scan at 01:39, 0.05s elapsed (1 total ports)
Overall sending rates: 21.28 packets / s.
Initiating SCRIPT ENGINE at 01:39
mass_rdns: Using DNS server 212.159.6.10
mass_rdns: Using DNS server 212.159.6.9
Completed SCRIPT ENGINE at 01:39, 2.19s elapsed
Host 2001:4860:0:1001::68 appears to be up ... good.
Scanned at 2008-10-31 01:39:07 GMT Standard Time for 2s
Interesting ports on 2001:4860:0:1001::68:
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

Host script results:
|  AS Numbers:
|  BGP: 2001:4860::/32 | Country: US
|_   Origin AS: 15169 - GOOGLE - Google Inc.

Other than this, a good job well done, I reckon.

Regards,

jah

diff -u nmap-4.76_d/nmap_dns.cc nmap-4.76_d+j/nmap_dns.cc
--- nmap-4.76_d/nmap_dns.cc     2008-10-31 01:09:49.279125000 +0000
+++ nmap-4.76_d+j/nmap_dns.cc   2008-10-31 01:03:55.888500000 +0000
@@ -1323,7 +1323,7 @@
 
   if (stat_actual > 0) {
     if (o.debugging || o.verbose >= 3) {
-      if (o.mass_dns) {
+      if (o.mass_dns && o.af() == AF_INET) {
        // #:  Number of DNS servers used
        // OK: Number of fully reverse resolved queries
        // NX: Number of confirmations of 'No such reverse domain eXists'
@@ -1347,8 +1347,10 @@
 
 // Returns a list of known DNS servers
 std::list<std::string> get_dns_servers() {
-  if(servs.size() == 0 && firstrun) {
+  static int firstdnsrun=1;
+  if(servs.size() == 0 && firstdnsrun) {
     init_servs();
+    firstdnsrun=0;
   }
 
   // If the user said --system-dns (!o.mass_dns), we should never return a list


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

-6 and mass_dns and dns.lua jah (Oct 05)
- Re: -6 and mass_dns and dns.lua jah (Oct 06)
  - Re: -6 and mass_dns and dns.lua jah (Oct 07)
    - Re: -6 and mass_dns and dns.lua David Fifield (Oct 19)
    - Re: -6 and mass_dns and dns.lua jah (Oct 20)
    - Re: -6 and mass_dns and dns.lua David Fifield (Oct 30)
    - Re: -6 and mass_dns and dns.lua jah (Oct 30)
    - Re: -6 and mass_dns and dns.lua David Fifield (Oct 31)
    - Re: -6 and mass_dns and dns.lua jah (Oct 31)