Nmap – Resolving IP to Hostname Failures

binddomain-name-systemnmap

My objective here is to get nmap to resolve IPs to hostnames without the –system-dns flag or the –dns-servers option.

When I issue the following nmap command without the –system-dns flag or –dns-servers option, 192.168.0.16 is resolved to hostname server1.example.com. 192.168.0.17 is not resolved to a hostname. I understand this is occurring because according to https://nmap.org/book/host-discovery-dns.html, "Nmap uses a custom stub resolver", meaning that nmap has it's own DNS resolver, and not our local DNS servers. Interesting.

[root@client1]# nmap -sn 192.168.0.0/24 -vvv

Initiating Parallel DNS resolution of 256 hosts. at 11:22
Completed Parallel DNS resolution of 256 hosts. at 11:22, 0.02s elapsed
DNS resolution of 18 IPs took 0.02s. Mode: Async [#: 2, OK: 5, NX: 13, DR: 0, SF: 0, TR: 18, CN: 0]

Nmap scan report for server1.example.com (192.168.0.16)
Host is up (0.00063s latency).
Nmap scan report for 192.168.0.17
Host is up (0.00059s latency).

This issue does not occur when the --system-dns flag is being used.

[root@client1]# nmap -sn 192.168.0.0/24 --system-dns

Nmap scan report for server1.example.com (192.168.0.16)
Host is up (0.00029s latency).
Nmap scan report for server2.example.com (192.168.0.17)
Host is up (0.00026s latency).

This issue does not occur when the --dns-servers option is used to declare that our primary DNS server (192.168.0.6) should be used.

[root@client1]# nmap -sn 192.168.0.0/24 --dns-servers 192.168.0.6

Nmap scan report for server1.example.com (192.168.0.16)
Host is up (0.00039s latency).
Nmap scan report for server2.example.com (192.168.0.17)
Host is up (0.00036s latency).

nslookup shows that both IPs can be resolved to their appropriate hostnames.

[root@client1]#  nslookup 192.168.0.16
16.0.168.192.in-addr.arpa       name = server1.example.com.

[root@client1]# nslookup 192.168.0.17
17.0.168.192.in-addr.arpa       name = server2.example.com.

We are using CentOs 7 as our Operating System. /etc/resolv.conf contains the following, meaning that 192.168.0.6 is our primary DNS server.

[root@client1]# cat /etc/resolv.conf

nameserver 192.168.0.6
nameserver 8.8.8.8

192.168.0.6 (our primary DNS server) is using version 9 of Bind as the DNS service.

[root@dns1]# named -v
BIND 9.9.4-RedHat-9.9.4-51.el7 (Extended Support Version)

Here is the relevant snippet of /var/named/forward.example.com.

[root@dns1]# cat /var/named/forward.example.com

$ORIGIN example.com.
$TTL 1D
@       IN      SOA     ns1.example.com. hostmaster.example.com. (
                                        2016032200 ; serial
                                        1D         ; refresh
                                        1H         ; retry
                                        1W         ; expire
                                        3H         ; minimum
)

;name used for the nameserver
        IN      NS      ns1.example.com.

;ip address of the nameserver
ns1     IN      A       192.168.0.6

;hostname to ip address resolutions
server1         IN      A       192.168.0.16
server2         IN      A       192.168.0.17

Here is a snippet of /var/named/reverse.example.com.

[root@client1]# cat /var/named/reverse.example.com

$TTL 1D
@       IN      SOA     ns1.example.com. root.example.com. (
                                        0 ; serial
                                        1D ; refresh
                                        1H ; retry
                                        1W ; expire
                                        3H ; minimum
)

0.168.192.in-addr.arpa. IN      NS      ns1.example.com.

@       IN      NS      ns1.example.com.
ns1     IN      A       192.168.0.6
16      IN      PTR     server1.example.com.
17      IN      PTR     server2.example.com.

Best Answer

The root of your problem is your /etc/resolv.conf and how nmap parses that.

    # /etc/resolv.conf

    nameserver 192.168.0.6
    nameserver 8.8.8.8

Only the first of your nameserver entries is qualified to answer queries for your local domain and network.

The second nameserver is public resolver that won't be able to respond to reverse DNS queries for private IP-ranges.

Unlike the system resolver, which by default uses the first nameserver entry in /etc/resolv.conf and only uses the next one(s) when the first nameserver doesn't resond, Nmap uses all nameservers entries found in /etc/resolv.conf in parallel (with the implied assumption that they are all equivalent).

Since in your case the different nameservers are not equivalent, only some of the reverse DNS queries succeed and you see some IP-addresses get resolved to hostnames (when your first name server was queried) and others not (when your second name server was used).

Remove or comment out the second nameserver and nmap -sn 192.168.0.0/24 -vvv should get the same results as nmap -sn 192.168.0.0/24 -vvv --system-dns and nmap -sn 192.168.0.0/24 -vvv --dns-servers 192.168.0.6

Related Solutions

NMAP: Check if port 80 and 8080 is open

Your NMAP command is fine. It's the service you're trying to connect to that is the "problem".

You can find that a "server" has an open port on 80 or 8080 but still not be able to connect it. For instance, I have about three dozen polycom phones that are accessible at port 8080 but they have bum config files. When someone tries to access them at that port they aren't able to connect.

And it may depend on how you're trying to connect. Even though its port 8080 maybe you aren't supposed to use a browser to connect to it.(I know - crazy idea).

Find out what type of device you're trying to connect to using this (you'll need sudo or root):

nmap -sS -O -p80,8080 192.168.1.0/24

Nmap find all alive hostnames and IPs in LAN

nmap versions lower than 5.30BETA1:

nmap -sP 192.168.1.*

newer nmap versions:

nmap -sn 192.168.1.*

This gives me hostnames along with IP adresses, and only pings the hosts to discover them. This will only give you the hostnames if you run it as root.

EDIT: As of Nmap 5.30BETA1 [2010-03-29] -sP has been replaced with -sn as the preferred way to do ping scans, while skipping port scanning, just like the comments indicate:

Previously the -PN and -sP options were recommended. This establishes a more regular syntax for some options that disable phases of a scan:

-n no reverse DNS

-Pn no host discovery

-sn no port scan

Best Answer

Related Solutions

NMAP: Check if port 80 and 8080 is open

Nmap find all alive hostnames and IPs in LAN

Related Topic