5.3. dns

The dns module leverages libudns to allow highly concurrent DNS lookups of a variety of DNS RR types. In the event that you name a dns check in-addr.arpa with an rtype of PTR, the result of the query may be used throughout reconnoiter as the identifying hostname of that target.

This module provides the inaddrarpa interpolation method which will reverse a dot-delimited IP address. This is particularly useful for constructing in-addr.arpa queries, but also used for checking blacklists, whitelists and other IP-based DNS databases.

loader

C

image

dns.so

5.3.1. Module Configuration

5.3.2. Check Configuration

nameserver
required

optional

default

%[target_ip] or determined from underlying system

allowed

.+

The domain name server to query. If the name of the check is in-addr.arpa, the system default nameserver is used. Otherwise, the nameserver is the %[target_ip] of the the check. If set to the string "default" the underlying system default nameserver is used.

port
required

optional

default

53

allowed

\d+

The port on which the remote server's DNS service is running.

ctype
required

optional

default

IN

allowed

(IN|CH|HS)

The DNS class of the query. IN: Internet, CH: Chaos, HS: Hesoid.

rtype
required

optional

default

A|PTR

allowed

(A|AAAA|TXT|MX|SOA|CNAME|PTR|NS|MB|MD|MF|MG|MR)

The DNS resource record type of the query. If the name of the check is in-addr.arpa, the default is PTR, otherwise it is A.

query
required

required

default

%[name]|%[:inaddrarpa:target_ip]

allowed

.+

The query to send. If the name of the check is in-addr.arpa, the reverse IP octet notation of in-addr.arpa syntax is synthesized by default. Otherwise the default query is the name of the check itself.

want_sort
required

optional

default

true

allowed

(true|false|on|off)

Sorts (strcmp) the answers if multiple RRs are returned in the result set.

Example 5.4. Establishing PTR records for hosts.

The following established names for targets 10.1.2.{3,4,5,6} using the local nameserver (10.1.2.2) that provides service for that network.

      <noit>
        <modules>
          <module image="dns" name="dns"/>
        </modules>
        <checks>
          <config>
            <nameserver>10.1.2.2</nameserver>
          </config>
          <ptr module="dns" name="in-addr.arpa">
            <check uuid="2cddb2a8-76ff-11dd-83c8-f75cb8b93bd9" target="10.1.2.3"/>
            <check uuid="2dd79110-76ff-11dd-9b54-739adc274a93" target="10.1.2.4"/>
            <check uuid="5627560a-76ff-11dd-941f-4b75679cb908" target="10.1.2.5"/>
            <check uuid="5fdcb8de-76ff-11dd-ae16-2740afc178ae" target="10.1.2.6"/>
          </ptr>
        </checks>
      </noit>
    

Example 5.5. Checking labs.omniti.com.

The following checks the DNS server residing at 66.225.209.4 for the A record of labs.omniti.com.

      <noit>
        <modules>
          <module image="dns" name="dns"/>
        </modules>
        <checks>
          <ns1 module="dns" target="66.225.209.4">
            <check uuid="3cddb2a8-76ff-11dd-83c8-f75cb8b93bd9" name="labs.omniti.com"/>
          </ns1>
        </checks>
      </noit>