Nmap Development mailing list archives
Re: -6 and mass_dns and dns.lua
From: jah <jah () zadkiel plus com>
Date: Fri, 31 Oct 2008 01:45:17 +0000
On 30/10/2008 22:44, David Fifield wrote:
On Mon, Oct 20, 2008 at 09:53:31PM +0100, jah wrote:On 20/10/2008 03:57, David Fifield wrote:On Tue, Oct 07, 2008 at 04:05:03PM +0100, jah wrote:Hi folks, The attached patches nmapOps.cc and nmap_dns.cc: o.mass_dns is not set to false for IPv6 targets. system dns resolution is skipped for IPv6 targets when nmap_mass_rdns() is called with zero num_targets allowing dns servers to be obtained from the windows registry or /etc/resolv.conf if the dns servers aren't already known (servs.size() is zero). After doing this the function returns immediately and without proceeding to /etc/hosts lookup etc. --system-dns is respected.Thanks for your observation, insightful as usual. This is certainly a problem (may be considered a bug). I don't like the way this patch solves the problem. There is too much special casing on o.af() != AF_INET6, when the basic problem of getting a list of the system's DNS only depends on being able to read /etc/resolv.conf and /etc/hosts, not on the address family. I would prefer to see the code that reads o.dns_servers and /etc/resolv.conf (or the Windows registry) factored out into its own function. That function, which would be independent of -n and -6, would be called by nmap_mass_rdns_core and get_dns_servers. How does that sound? Or if I'm off base and missing something obvious, just tell me.This sounds like a good approach, but we still need to address the fact that if -6 is specified, o.mass_dns is set false which makes it impossible to determine if both -6 and --system-dns were specified. I'm assuming that if --system-dns is specified, the user intends us not to talk to any dns servers we might find and so we need to be able to tell if this was specified.I think I understand now. We can factor out the code that gets a list of servers, but we should return an empty list if --system-dns is used. Does the attached patch work for you? I've tested that continues to use system DNS for IPv6 lookups, and that get_dns_servers returns a list of servers even with -6 except when --system-dns is also present. I haven't tested it with ASN.nse. The patch builds on a few refactoring commits I made that didn't change any outward behavior. The main change is moving the decision of whether to run mass_dns from NmapOps.cc to nmap_dns.cc. As you noted, having -6 control o.mass_dns created a tricky bit of ambiguity.
Hi David, It only works for -6 when -n is specified because if we've already done an rdns lookup and we don't have a list of dns servers when get_dns_servers() is called at script scanning time then this test fails: if(servs.size() == 0 && firstrun) {...} Also, some debugging output is incorrectly selected when -6 scans do rdns lookups and it prints out info meant for mass_dns resolving rather than system resolving: Initiating System DNS resolution of 1 host. at 00:43 Completed System DNS resolution of 1 host. at 00:43, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 0, OK: 0, NX: 0, DR: 0, SF: 0, TR: 0, CN: 0] I've attached ipv6-dns-list-sup.patch which supplements your patch to handle these: # nmap -sT -6 ipv6.google.com -p80 --script asn -d Scanning 2001:4860:0:1001::68 [1 port] Initiating System DNS resolution of 1 host. at 01:39 Completed System DNS resolution of 1 host. at 01:39, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: System [OK: 0, ??: 1] Initiating Connect Scan at 01:39 Scanning 2001:4860:0:1001::68 [1 port] Discovered open port 80/tcp on 2001:4860:0:1001::68 Completed Connect Scan at 01:39, 0.05s elapsed (1 total ports) Overall sending rates: 21.28 packets / s. Initiating SCRIPT ENGINE at 01:39 mass_rdns: Using DNS server 212.159.6.10 mass_rdns: Using DNS server 212.159.6.9 Completed SCRIPT ENGINE at 01:39, 2.19s elapsed Host 2001:4860:0:1001::68 appears to be up ... good. Scanned at 2008-10-31 01:39:07 GMT Standard Time for 2s Interesting ports on 2001:4860:0:1001::68: PORT STATE SERVICE REASON 80/tcp open http syn-ack Host script results: | AS Numbers: | BGP: 2001:4860::/32 | Country: US |_ Origin AS: 15169 - GOOGLE - Google Inc. Other than this, a good job well done, I reckon. Regards, jah
diff -u nmap-4.76_d/nmap_dns.cc nmap-4.76_d+j/nmap_dns.cc --- nmap-4.76_d/nmap_dns.cc 2008-10-31 01:09:49.279125000 +0000 +++ nmap-4.76_d+j/nmap_dns.cc 2008-10-31 01:03:55.888500000 +0000 @@ -1323,7 +1323,7 @@ if (stat_actual > 0) { if (o.debugging || o.verbose >= 3) { - if (o.mass_dns) { + if (o.mass_dns && o.af() == AF_INET) { // #: Number of DNS servers used // OK: Number of fully reverse resolved queries // NX: Number of confirmations of 'No such reverse domain eXists' @@ -1347,8 +1347,10 @@ // Returns a list of known DNS servers std::list<std::string> get_dns_servers() { - if(servs.size() == 0 && firstrun) { + static int firstdnsrun=1; + if(servs.size() == 0 && firstdnsrun) { init_servs(); + firstdnsrun=0; } // If the user said --system-dns (!o.mass_dns), we should never return a list
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- -6 and mass_dns and dns.lua jah (Oct 05)
- Re: -6 and mass_dns and dns.lua jah (Oct 06)
- Re: -6 and mass_dns and dns.lua jah (Oct 07)
- Re: -6 and mass_dns and dns.lua David Fifield (Oct 19)
- Re: -6 and mass_dns and dns.lua jah (Oct 20)
- Re: -6 and mass_dns and dns.lua David Fifield (Oct 30)
- Re: -6 and mass_dns and dns.lua jah (Oct 30)
- Re: -6 and mass_dns and dns.lua David Fifield (Oct 31)
- Re: -6 and mass_dns and dns.lua jah (Oct 31)
- Re: -6 and mass_dns and dns.lua jah (Oct 07)
- Re: -6 and mass_dns and dns.lua jah (Oct 06)