Nmap dns-client-subnet-scan NSE Script


This page contains detailed information about how to use the dns-client-subnet-scan NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:
Overview
Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/dns-client-subnet-scan.nse
Script categories: discovery, safe
Target service / protocol: dns, udp, tcp
Target network port(s): 53
List of CVEs: -

Script Description

The dns-client-subnet-scan.nse script performs a domain lookup using the edns-client-subnet option which allows clients to specify the subnet that queries supposedly originate from. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. The script also supports requests using a given subnet.

Dns-client-subnet-scan NSE Script Arguments

This is a full list of arguments supported by the dns-client-subnet-scan.nse script:

dns-client-subnet-scan.address

The client subnet address to use

dns-client-subnet-scan.domain

The domain to lookup eg. www.example.org

dns-client-subnet-scan.mask

[optional] The number of bits to use as subnet mask (default: 24)

dns-client-subnet-scan.nameserver

[optional] nameserver to use. (default = host.ip)

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=dns-client-subnet-scan --script-args dns-client-subnet-scan.address=value,dns-client-subnet-scan.domain=value <target>

Dns-client-subnet-scan NSE Script Example Usage

Here's an example of how to use the dns-client-subnet-scan.nse script:

nmap -sU -p 53 --script dns-client-subnet-scan  --script-args \
'dns-client-subnet-scan.domain=www.example.com, \
dns-client-subnet-scan.address=192.168.0.1 \
[,dns-client-subnet-scan.nameserver=8.8.8.8] \
[,dns-client-subnet-scan.mask=24]' <target>

nmap --script dns-client-subnet-scan --script-args \
'dns-client-subnet-scan.domain=www.example.com, \
dns-client-subnet-scan.address=192.168.0.1 \
dns-client-subnet-scan.nameserver=8.8.8.8, \
[,dns-client-subnet-scan.mask=24]'

Dns-client-subnet-scan NSE Script Example Output

Here's a sample output from the dns-client-subnet-scan.nse script:

53/udp open  domain  udp-response
| dns-client-subnet-scan:
| www.google.com
|   1.2.3.4
|   5.6.7.8
|   9.10.11.12
|   13.14.15.16
|   .
|   .
|_  .

Dns-client-subnet-scan NSE Script Example XML Output

There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.

Author

  • John R. Bond

References

See Also

Related NSE scripts to the dns-client-subnet-scan.nse script:

Visit Nmap NSE Library for more scripts.

The dns-client-subnet-scan.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.

.domain was not specified

Here is a relevant code snippet related to the ".domain was not specified" error message:

329:	end
330:	
331:	action = function(host, port)
332:	
333:	  if ( not(argDomain) ) then
334:	    return stdnse.format_output(false, SCRIPT_NAME .. ".domain was not specified")
335:	  end
336:	
337:	  local nameserver = (host and host.ip) or argNS
338:	  -- if we have no nameserver argument and no host, we don't have sufficient
339:	  -- information to continue, abort

Version

This page has been created based on Nmap version 7.92.

Go back to menu.