[ipv6hackers] Finding v6 hosts by efficiently mapping ip6.arpa

Richard Barnes richard.barnes at gmail.com
Thu Mar 29 16:28:02 CEST 2012

Indeed, that's a pretty clever idea.  Note, however, that it only
works where the reverse tree is actually populated.  Example below
(disclaimer: I am not in BBN's IT department, I don't know why they
haven't provisioned).  Overall, it seems like you're more likely to
find things like mail servers like this (where the reverse is actually
used) than, say, home users.

$ dig +short ns4.bbn.com AAAA

$ dig b.

; <<>> DiG 9.7.3-P3 <<>> b.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;b.	IN	A

;; AUTHORITY SECTION:	3482	IN	SOA	z.arin.net. dns-ops.arin.net.
2012032901 10800 3600 691200 3600

;; Query time: 93 msec
;; WHEN: Thu Mar 29 16:26:40 2012
;; MSG SIZE  rcvd: 96

On Wed, Mar 28, 2012 at 10:23 PM, Peter van Dijk <peter at 7bits.nl> wrote:
> Hi folks,
> in a discussion with a friend recently the thought occurred to me that due to how NOERROR and NXDOMAIN in DNS work, finding all existing reverses in an ip6.arpa reverse zone could be done very quickly.
> I have written a blog post at http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa that explains the workings. Code at https://github.com/habbie/ip6-arpa-scan/
> I was unable to find any existing references to this trick; if you do have any, please let me know!
> Kind regards,
> Peter van Dijk
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list