[ipv6hackers] Finding v6 hosts by efficiently mapping ip6.arpa

Peter van Dijk peter at 7bits.nl
Thu Mar 29 16:36:19 CEST 2012

Hello Simon,

On Mar 29, 2012, at 16:33 , Simon Perreault wrote:

> On 03/28/12 22:23, Peter van Dijk wrote:
>> in a discussion with a friend recently the thought occurred to me
>> that due to how NOERROR and NXDOMAIN in DNS work, finding all
>> existing reverses in an ip6.arpa reverse zone could be done very
>> quickly.
> We show this trick in our IPv6 security course.

Oh! Well, good to hear people already know about it. Do you have any slides or such I could see?

> We developed fairly efficient proof-of-concept code that is able to enumerate the whole reverse zone in a very reasonable time. (Autogenerated subnets need to be skipped.)
>> I was unable to find any existing references to this trick; if you do
>> have any, please let me know!
> We couldn't find any reference either, but we've been told that it's been known for a long time, even before IPv6 existed. The same trick can be applied to IPv4, it's just less useful/efficient there.

I have used the trick in the past on forward zones that had many second-level delegations but no first-level delegations. Worked wonders there too.

Kind regards,
Peter van Dijk

More information about the Ipv6hackers mailing list