[ipv6hackers] Finding v6 hosts by efficiently mapping ip6.arpa

Simon Perreault simon.perreault at viagenie.ca
Thu Mar 29 16:33:45 CEST 2012

On 03/28/12 22:23, Peter van Dijk wrote:
> in a discussion with a friend recently the thought occurred to me
> that due to how NOERROR and NXDOMAIN in DNS work, finding all
> existing reverses in an ip6.arpa reverse zone could be done very
> quickly.

We show this trick in our IPv6 security course.

We developed fairly efficient proof-of-concept code that is able to 
enumerate the whole reverse zone in a very reasonable time. 
(Autogenerated subnets need to be skipped.)

> I was unable to find any existing references to this trick; if you do
> have any, please let me know!

We couldn't find any reference either, but we've been told that it's 
been known for a long time, even before IPv6 existed. The same trick can 
be applied to IPv4, it's just less useful/efficient there.

DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

More information about the Ipv6hackers mailing list