ip6walk

ip6walk copied to clipboard

ip6dnswalk: Walks ip6.arpa tree for a given IPv6 prefix

Note:
	Some authoritative DNS servers such as PowerDNS do not implement
	RFC1035 correctly: http://wiki.powerdns.com/trac/ticket/127
	This has the side effect of preventing DNS walking from working.

ip6dnshide: Hides empty terminals in an ip6.arpa zone (preventing walking)

Prevents ip6dnswalk from working (unless the secret used to create the
wildcards is known because then more information that could be used to
infer NXDOMAIN is available) by causing queries that would have returned
NXDOMAIN to return NOERROR using some extra records.

Warning:
	If you're thinking of modifying a DNS server to replace NOERROR
	with NXDOMAIN for ip6.arpa zones, please don't as this isn't
	valid behaviour.
	[ This bogus behaviour would completely prevent walking. ]
	
	You can however replace NXDOMAIN with NOERROR. There's no
	requirement to actually have a terminal RR at or below the
	name being queried - NXDOMAIN just asserts that there isn't
	one. Doing this for non-ip6.arpa zones would give no benefit.
	[ This technically valid behaviour would make walking the zone
	impractical. It'd be mislead into thinking all possible IPs
	exist. ]

Note:
	If the zone is DNSSEC signed then the use of offline signed
	NSEC3 allows it to be walked even if the NOERROR trick is used.

Credits: Roland Dobbins http://mailman.nanog.org/pipermail/nanog/2011-January/031124.html

	For giving me the idea that reverse DNS enumeration (based on my
	existing knowledge that PowerDNS doesn't do NXDOMAIN properly)
	is actually possible.