Re: RFC: Should Nmap resolve and scan all addresses by default?

[Daniel Miller <bonsaiviking () gmail com>]

On Tue, Aug 8, 2017 at 4:54 PM, Daniel Miller <bonsaiviking () gmail com>
wrote:

> previously only available through the resolveall NSE script [1],

>
Please leave your feedback in reply.
>

I forgot some references and neglected to mention the purpose of this kind
of DNS setup and how other applications handle this situation. The practice
of responding to a single A (or AAAA) query with more than one record (IP
address) is called Round-robin DNS [2]. It is generally used as a
load-balancing mechanism, since the order of returned IP addresses changes
and applications will generally choose the first available address to
connect to. Applications can also fall back to subsequent IP addresses if
the first one is not responsive.

Nmap has historically only scanned the first of these addresses, similar to
how a web browser only connects to the first address in the response. But
as a network discovery tool, it makes sense to be able to probe all of the
possible IP addresses that are attached to a hostname.

Nmap was already printing the list of unscanned addresses in a line like so:
Other addresses for example.com (not scanned): 192.0.2.3 192.0.2.4
2001:db8::5

This change (in either of the two options being discussed) does not allow
scanning of both IPv4 and IPv6 addresses in a single scan. When the feature
is enabled, all the addresses in the proper address family will be scanned:
IPv6 if -6 is given, and IPv4 otherwise.

[1] https://nmap.org/nsedoc/scripts/resolveall.html
[2] https://en.wikipedia.org/wiki/Round-robin_DNS

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/