Editor's note: This is part two of a series on domain name system reverse mapping techniques. Part one looked at...
how DNS reverse address mappings are constructed. Part two explores how these mappings can be used for IPv6 address scanning.
Domain name system (DNS) reverse address mapping can be leveraged for address scanning. The technique relies on two possible response codes that can be received from a DNS server when trying to obtain a PTR record for a domain name in the ip6.arpa zone. The aforementioned codes are:
When an NXDOMAIN response is received, it means the DNS name being queried does not exist, and that there are no names with DNS information, such as resource records, under it.
On the other hand, when a NOERROR response is received, it means that while the queried domain name does not contain the queried information, there is at least one domain name under it that does contain DNS resource records.
Given these two possible answers when resolving a name, the scanning technique should be rather obvious: in order to perform an address scan for the prefix, say, 2001:db8::/64, you must walk the underlying zones of 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa as a tree, one digit at a time, starting with 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
If an NXDOMAIN response is received when querying PTR records for that name, that means there are no pointer, or PTR, records for any of the addresses in the prefix 2001:db8::/64.
However, if a NOERROR response is received, that means that there is at least one domain name with resource records under it and, thus, you should go deeper into this part of the DNS tree. So the domain 0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa should be subsequently queried for PTR records.
If an NXDOMAIN response is received, that means that there are no domain names with DNS records under that part of the tree (and, thus, you should continue with 184.108.40.206.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa).
If a NOERROR response is received, that means you should look deeper into the tree and query 0.1.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. This procedure should continue until the full tree corresponding to the target prefix is walked.
In summary, the aforementioned technique means that, starting from 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa, you must query for a PTR record.
If an NXDOMAIN response is received, this means that there are no DNS records for any of the addresses in 2001:db8::/64.
Yet, if a NOERROR response is received, you should query each of the names right under that zone, from 0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa to f.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
For each of them, a response code of NXDOMAIN means that the corresponding subtree should be discarded, and the next name in the sequence should be queried.
On the other hand, a response code of NOERROR means that you need to get deeper into that part of the tree, and query each of the names right under that zone (by prepending a label with values from 0 to f).
By walking the corresponding zone for DNS reverse address mappings as a tree, large parts of that tree can be discarded, and the search space is greatly reduced; this makes the scanning of a large address space feasible. It should be noted that, strictly speaking, finding nodes with this technique simply means that the reverse mapping for a given IPv6 address has been explicitly configured, rather than the node being reachable or available.
Exploiting the DNS for IPv6 address scans
There are a number of tools available for open source implementations like the technique discussed in this article. One of them is the dnsrevenum6 tool of THC's IPv6 attack toolkit.
While customizable, this tool is very easy to use when employing its (good) default parameters. Essentially, the dnsrevenum6 tool can be employed as $ dnsrevenum6 DNS_SERVER IPV6_PREFIX, where DNS_SERVER is the domain name or IP address of a caching DNS server, and IPV6_PREFIX is the IPv6 prefix (e.g., 2001:db8::/48) to be scanned.
The dnsrevenum6 tool implements a clever trick to try to infer whether the target network employs wild cards for the DNS reverse mappings (i.e., whether all IPv6 addresses in the target prefix map to the same domain name). In order to detect such a scenario, the tool will try to obtain the domain name of five random addresses in the target prefix and infer that wild cards are employed if all five random addresses contain PTR records.
The popular Nmap tool also includes an implementation of this technique in the dns-ip6-arpa-scan script. This script can be employed as $ nmap --script dns-ip6-arpa-scan --script-args='prefix=IPV6_PREFIX', where IPV6_PREFIX is the prefix to scan.
Security and networking professionals are usually surprised by the speed with which this technique is able to find nodes in a very large IPv6 address space, for which the use of other techniques would be infeasible.
Among the possible mitigations against this address scanning technique are the use of wild cards for reverse mappings (such that all IPv6 addresses map into the same domain name) or simply avoiding the configuration of reverse mappings, except for systems where they may be required, such as mail servers.
The increased IPv6 address space has not only driven the use of heuristics for performing IPv6 address scans, but it has also led to the exploration of alternative techniques for finding IPv6 nodes. This article covers the use of DNS reverse address mappings, which enable IPv6 address scans by greatly reducing the search space, but it is expected that other techniques will be discovered and explored as IPv6 deployment continues to increase.
Find out why an intrusion response plan is a must-have
Read more on how MAC address randomization can benefit enterprises
Get the latest information on Windows hardening techniques