The increased IPv6 address space has not only driven the use of heuristics when performing IPv6 address scans,...
but it has also led to the exploration of alternative techniques for finding IPv6 nodes. This article explains the use of an extremely powerful vector for discovering IPv6 nodes: the use of DNS reverse mapping.
Internet Protocol version 6 (IPv6) address scanning attacks typically involve sending some sort of probe packet, such as Internet Control Message Protocol version 6 echo requests, to the target nodes and waiting for a response. Since the default size of an IPv6 network is /64, nodes can hide in any of the 264 addresses in the network, thus making brute force IPv6 address scanning attacks impossible.
Research in the area of IPv6 scanning has found that IPv6 addresses follow specific patterns that can be leveraged to reduce the search space, thus making heuristic IPv6 address scans feasible.
However, there are a number of reasons why using alternative techniques to discover IPv6 nodes is worth exploring.
First, some operating systems, such as Microsoft Windows, have implemented an algorithm for generating IPv6 addresses that results in randomized addresses. Second, networks relying on Dynamic Host Configuration Protocol (DHCP) version 6 for address configuration might employ DHCPv6 servers that lease addresses without any obvious pattern (rather than incremental addresses of the form 2001:db8::1, 2001:db8::2 and so on). Third, the Internet Engineering Task Force is already in the process of publishing a formal update to the current specifications, such that the traditional scheme for generating auto-configured addresses will be replaced with RFC 7217, which does not result in any address patterns. This means that techniques to complement and/or replace traditional address scanning functionality (a la ping sweeps) are warranted.
One of the most powerful of these techniques involves a frequently misunderstood or forgotten feature of the domain name system (DNS): reverse mappings. Here's how the concept of DNS reverse mapping works, and how this DNS feature can be leveraged for IPv6 address scans.
DNS reverse address mappings
Most networking and security professionals are familiar with DNS and its most frequent functionality, mapping domain names (such as www.example.com) to IP addresses.
In a number of scenarios, however, it may be useful to perform exactly the opposite: getting an IP address and mapping it to a domain name. This can help, for example, when learning the route to a destination node via the traceroute tool; the IP addresses that comprise the route are converted into domain names that are typically more descriptive or more meaningful to users. Thus, the ability of the traceroute tool to come up with a list of domain names from IP addresses relies on DNS reverse mappings.
Reverse mapping of IPv4 addresses to domain names is performed by means of a special DNS zone: in-addr.arpa. Domain names in this zone will follow the pattern x.x.x.x.in-addr.arpa, where each x is a number between 0 and 255, and the group of those four x values will correspond to an IPv4 address written backwards.
Domain names in the in-addr.arpa zone typically have PTR records containing a domain name corresponding to the IPv4 address in question. Thus, in order to obtain the DNS domain name corresponding to the IPv4 address 192.0.2.1, one should obtain the PTR record for the domain name 18.104.22.168.in-addr.arpa, which might, for example, contain the domain name server.example.com.
It is important to highlight that mapping from an IP address to a domain name is completely independent of mapping from a domain name to an IP address. In this example, the former involves the configuration of a PTR record for the domain name 22.214.171.124.in-addr.arpa (and authority over the 2.0.192.in-addr.arpa zone), while the latter involves the configuration of an A record for the domain name server.example.com (and authority over the example.com zone).
Typically, whenever an organization is assigned an IP address block, it is also assigned authority over the corresponding zone in in-addr.arpa. For example, an organization that is assigned the prefix 192.0.2.0/24 will also be assigned authority over the DNS zone 2.0.192.in-addr.arpa, such that the organization can configure reverse address mappings as appropriate.
Reverse IPv6 address mappings are quite similar to their IPv4 counterparts, with the most important difference being that the DNS zone employed for such mappings is ip6.arpa. Similar to its IPv4 counterpart, this zone will contain IPv6 addresses written backwards. For example, in order to obtain the domain name corresponding to the IPv6 address 2001:db8::1, one should obtain the PTR record for the domain name 126.96.36.199.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. Each hexadecimal digit of the IPv6 address will correspond to one label in the resulting domain name.
The next part of this article series will explore how to use reverse DNS address mappings to scan IPv6 addresses. Stay tuned for part 2 on DNS reverse mapping.
Discover the security benefits of MAC address randomization
Find out how to monitor outbound traffic for potential security issues
Read more on the enterprise security implications of IPv6 adoption