search

rbsec / dnscan

GNU General Public License v3.0
1.11k stars 411 forks source link

Scan result difference and text output #47

Closed Vincent-Millane closed 2 years ago

Vincent-Millane commented 2 years ago

Hello,

Thank you for your work.

I am testing dnscan to find some valid domains with all existing tlds. But for domains that I checked by hand for which I found several hundred matches dnsscan found me only 16 with the command.

./dnscan.py -d example -R 1.1.1.1 -T --output example_domains.txt

then

with my DNS server (DNSSEC active)

 python3 dnscan.py -d google -R 127.0.0.1 -T --output google_domains.txt

 python3 dnscan.py -d google -R 1.1.1.1 -T --output google_domains.txt

I have 286 domains on the screen but the google_domains.txt file contains:

[] Processing domain google [] Using specified resolvers: 1.1.1.1 [+] TLD Scan

With the command

 python3 dnscan.py -d google -R 1.1.1.1 -T > google_domains.txt

My file is well populated but with several line breaks like this ... google.ac - ns1.google.com

google.af - ns1.google.com

google.aero - ns1.101domain.com

google.ad - ns1.google.com ...

NS outputs are not useful to me and will generate a workload.

What are the tips to understand to help me? Thank you for your help. __

rbsec commented 2 years ago

Good spot, the TLD results are missing in the output. That should be fixed in 7839c2b.

Vincent-Millane commented 2 years ago

Thanks it works much better.

Except that I still have a scan problem, the script detects 18 tlds whereas by hand (1 by 1) being on a source that does not have all the tlds, I found 163 matching tlds.

An idea ?

Vincent-Millane commented 2 years ago

for extole...

rbsec commented 2 years ago

Is this when you're running dnscan -T -d google, or some other command?

It's possible your traffic is getting dropped by the DNS server, so try reducing the threads with -t 2 and see if that makes any difference.

Vincent-Millane commented 2 years ago

I am trying By the way, can dnscan detect tlds that are in "Pre-register" mode? Do I count them since they can be in production at any time? The difference could be explained as follows.

rbsec commented 2 years ago

Dnscan looks to see if the domain has any NS records - because if it doesn't then it's not really usable on the public Internet. Of course, the fact that it has NS records doesn't necessarily mean that it has any A records, so you may get domains that don't resolve.

Vincent-Millane commented 2 years ago

I tested dnscan with different options with no better results. I tested DNSrecon which gave me more results. I documented myself on the Icann site which indicates that the sites are pre-reserved and will be allocated on a kind of fifo or auction between candidates. If you have better information or utilities to share with me, I will be happy to hear from you. My PM is on my profile.