dns-client-subnet-scan NSE Script

Performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.

• <https://tools.ietf.org/html/rfc7871&gt;

Script Arguments

dns-client-subnet-scan.domain

The domain to lookup eg. www.example.org

dns-client-subnet-scan.mask

[optional] The number of bits to use as subnet mask (default: 24)

dns-client-subnet-scan.nameserver

[optional] nameserver to use. (default = host.ip)

dns-client-subnet-scan.address

The client subnet address to use

Example Usage

  nmap -sU -p 53 --script dns-client-subnet-scan  --script-args \
    'dns-client-subnet-scan.domain=www.example.com, \
    dns-client-subnet-scan.address=192.168.0.1 \
    [,dns-client-subnet-scan.nameserver=8.8.8.8] \
    [,dns-client-subnet-scan.mask=24]' <target>
  nmap --script dns-client-subnet-scan --script-args \
    'dns-client-subnet-scan.domain=www.example.com, \
    dns-client-subnet-scan.address=192.168.0.1 \
    dns-client-subnet-scan.nameserver=8.8.8.8, \
    [,dns-client-subnet-scan.mask=24]'

Script Output

53/udp open  domain  udp-response
| dns-client-subnet-scan:
| www.google.com
|   1.2.3.4
|   5.6.7.8
|   9.10.11.12
|   13.14.15.16
|   .
|   .
|_  .

Requires

• dns
• ipOps
• nmap
• shortport
• stdnse
• string
• table