thr3ads.net - nsd users - [nsd-users] enumerate an ipv6 reverse zone in 2 minutes [Dec 2014]

If this information is useful, please help other people find it:
Share via:

A. Schulze

2014-Dec-10 21:32 UTC

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes

Hello,

till yesterday I thought it is impossible to find hosts in an ipv6  
subnet by asking the dns server.
At least if I use random interface identifier.

That assumption is wrong:  
http://7bits.nl/blog/posts/finding-v6-hosts-by-efficiently-mapping-ip6-arpa

problem:
dig @ns.nlnetlabs.nl. 0.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NOERROR
dig @ns.nlnetlabs.nl. 1.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NXDOMAIN

2 queries to tell: there is no host in the subnet 2a04:b900:1000:0::/64
                    there are no subnets in 2a04:b900:1000::/56

My question: would it be possible to modify nsd to answer queries in a  
different way?

Andreas

Peter Koch

2014-Dec-10 21:46 UTC

head link

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes

On Wed, Dec 10, 2014 at 10:32:30PM +0100, A. Schulze wrote:
> My question: would it be possible to modify nsd to answer queries in a  
> different way?
see chapter 4 in
<http://www.dfn-cert.de/dokumente/workshop/2005/dfncert-ws2005-f7paper.pdf>
Of course, the proposed mitigation (sketched out for BIND) would be
incompatible with "qname minimization" ...

-Peter

Anand Buddhdev

2014-Dec-10 21:59 UTC

head link

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes

On 10/12/14 22:32, A. Schulze wrote:

Hi Andreas,
> till yesterday I thought it is impossible to find hosts in an ipv6
> subnet by asking the dns server.
> At least if I use random interface identifier.
> 
> That assumption is wrong:
> http://7bits.nl/blog/posts/finding-v6-hosts-by-efficiently-mapping-ip6-arpa
This is an old and well-known technique.
> problem:
> dig @ns.nlnetlabs.nl. 0.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NOERROR
> dig @ns.nlnetlabs.nl. 1.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NXDOMAIN
> 
> 2 queries to tell: there is no host in the subnet 2a04:b900:1000:0::/64
>                    there are no subnets in 2a04:b900:1000::/56
This is exactly how the name server is supposed to answer. In fact, not
only NSD, but all other protocol-compliant name servers, such as BIND,
Knot and PowerDNS, will all respond the same way. Look up the term
"empty non-terminal". This manner of response is not specific to NSD.
> My question: would it be possible to modify nsd to answer queries in a
> different way?
I don't think so. It would break the DNS protocol. But just out of
curiosity, what kind of response did you have in mind.

Regards,

Anand

nsd users - Dec 2014 - enumerate an ipv6 reverse zone in 2 minutes

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes

[nsd-users] enumerate an ipv6 reverse zone in 2 minutes