Home / server / Questions / 843304
Accepted
Jacob Evans
Asked: 2017-04-08 09:45:21 +0800 CST

Can nmap scan/test all answers from round-robin dns?

  • 772

I have a round-robin dns record I want to test with nmap, currently it only tries one of the IPs (if I run a loop it checks each in order).

Is there a way to have nmap test all A/AAAA records from a dns record?

example: nmap -p25 rr-test.jacobdevans.com

nmap

2 Answers

  1. Best Answer

    I think it's impossible without loop. Try to use nping instead nmap. Example for IPv4:

    $ host -t MX gmail.com | awk '{print $NF}' | xargs -I{} host -t A {} | awk '{print $NF}' | xargs -e nping -c 1 -p 25,465 | grep -P "(SENT)|(RECV)"
SENT (0.0014s) Starting TCP Handshake > 74.125.204.26:25
RECV (0.3228s) Handshake with 74.125.204.26:25 completed
SENT (1.0036s) Starting TCP Handshake > 74.125.201.26:25
RECV (1.1765s) Handshake with 74.125.201.26:25 completed
SENT (2.0065s) Starting TCP Handshake > 74.125.28.26:25
RECV (2.2137s) Handshake with 74.125.28.26:25 completed
SENT (3.0086s) Starting TCP Handshake > 173.194.222.26:25
RECV (3.0475s) Handshake with 173.194.222.26:25 completed
SENT (4.0116s) Starting TCP Handshake > 74.125.30.27:25
RECV (4.1853s) Handshake with 74.125.30.27:25 completed
SENT (5.0142s) Starting TCP Handshake > 74.125.204.26:465
SENT (6.0163s) Starting TCP Handshake > 74.125.201.26:465
SENT (7.0184s) Starting TCP Handshake > 74.125.28.26:465
SENT (8.0196s) Starting TCP Handshake > 173.194.222.26:465
SENT (9.0217s) Starting TCP Handshake > 74.125.30.27:465

    For IPv6 use command:

    $ host -t MX gmail.com | awk '{print $NF}' | xargs -I{} host -t AAAA {} | awk '{print $NF}' | xargs -e nping -c 1 -6 -p 25,465 | grep -P "(SENT)|(RECV)"
    • 2

  2. Nmap can accomplish something like this with the resolveall NSE script. It needs the newtargets script argument to be set in order to actually add the other addresses to the scan queue instead of only listing them. So your solution would be:

    nmap --script resolveall --script-args newtargets -p25 rr-test.jacobdevans.com

    This will work for a name that has multiple A (or AAAA, with the -6 option) records, all of which are returned in response to a single query. Round-robin DNS can be implemented by returning a single A record from a pool in response to each query; the resolveall script will not be able to detect this, since it only sends one query.

    EDIT: I forgot that this is a new feature in Nmap 7.40, so earlier versions won't work the same way. For those versions (back to version 5.50) you need to use this syntax:

    nmap --script resolveall --script-args "newtargets,resolveall.hosts={rr-test.jacobdevans.com}" -p25
    • 0