Enumerate an ipv6 reverse zone in 2 minutes

Hello,

till yesterday I thought it is impossible to find hosts in an ipv6 subnet by asking the dns server.
At least if I use random interface identifier.

That assumption is wrong: http://7bits.nl/blog/posts/finding-v6-hosts-by-efficiently-mapping-ip6-arpa

problem:
dig @ns.nlnetlabs.nl. 0.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NOERROR
dig @ns.nlnetlabs.nl. 1.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NXDOMAIN

2 queries to tell: there is no host in the subnet 2a04:b900:1000:0::/64
                    there are no subnets in 2a04:b900:1000::/56

My question: would it be possible to modify nsd to answer queries in a different way?

Andreas

see chapter 4 in <http://www.dfn-cert.de/dokumente/workshop/2005/dfncert-ws2005-f7paper.pdf&gt;
Of course, the proposed mitigation (sketched out for BIND) would be
incompatible with "qname minimization" ...

-Peter

Hi Andreas,

till yesterday I thought it is impossible to find hosts in an ipv6
subnet by asking the dns server.
At least if I use random interface identifier.

That assumption is wrong:
http://7bits.nl/blog/posts/finding-v6-hosts-by-efficiently-mapping-ip6-arpa

This is an old and well-known technique.

problem:
dig @ns.nlnetlabs.nl. 0.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NOERROR
dig @ns.nlnetlabs.nl. 1.0.0.9.b.4.0.a.2.ip6.arpa. ns -> NXDOMAIN

2 queries to tell: there is no host in the subnet 2a04:b900:1000:0::/64
                   there are no subnets in 2a04:b900:1000::/56

This is exactly how the name server is supposed to answer. In fact, not
only NSD, but all other protocol-compliant name servers, such as BIND,
Knot and PowerDNS, will all respond the same way. Look up the term
"empty non-terminal". This manner of response is not specific to NSD.

My question: would it be possible to modify nsd to answer queries in a
different way?

I don't think so. It would break the DNS protocol. But just out of
curiosity, what kind of response did you have in mind.

Regards,

Anand