Bug in nmap parallel resolver (dns) on Windows

["Frazier, Kenneth B" <kenneth.b.frazier () spiritaero com>]

I've found an issue while running both nmap 6.01 and 6.25 where the parallel
resolver function is attempting to reverse lookup ip addresses using dns
servers that were last assigned to an adapter/network interface that is no
longer active.   For example, if I have an Ethernet port, a wireless port,
and a USB port, if any of them are disabled or disconnected but have been
previously connected to a network, the Windows registry maintains the
adapters last DHCP assigned DNS servers, and parallel resolution will
attempt to send queries to those addresses.  If I force the use of
-system-dns, nmap does not generate these [invalid] reverse lookups.

 

I am capturing this activity via Wireshark.  I noticed the behavior when
trying to troubleshoot a problem with scans that started taking too long,
shortly after connecting to a new network interface (temporarily).

 

I am running Windows 7 SP1 X64, and an only using the IPv4 stack.  IPv6 has
been disabled.

 

Ken Frazier, CISSP

Associate Technical Fellow  +1 (316) 393-9453

Investigations & Cyber Intelligence

Security, Governance, Risk and Compliance

 

Spirit AeroSystems, Inc. 
P.O. Box 780008 | M/C: K66-22 | Wichita, KS 67278-0008

 <mailto:kenneth.b.frazier () spiritaero com> kenneth.b.frazier () spiritaero com

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/