Determining what domains are registered to a network is important to both attackers and defenders. Attackers have been performing DNS recon for years, but defenders generally do not use this technique. Why would we need to? We can just get a dump of the DNS database and search it. Well this only works for domains that you control, but users can point to your IP space with a different domain name and you would never know about it. This could be a legitimate subsidiary standing up a site, or it could be a rogue server “borrowing bandwidth”. Either way it’s better to know these things before attackers do.
I wrote a bash script (Tested on Ubuntu and OSX) to use the robtex’s website to determine what DNS names have been assigned to a specific network. Their website looks up DNS names based on class C networks. For class A and B networks, it will break them down into class c networks and query the site. The results are displayed to standard out in csv format.
Lets try this out on a Google subnet.
#nslookup google.com Name: google.com Address: 220.127.116.11 #./dns_recon.sh 74.125.67 >74.125.67.csv
The file looks like this.
#head 74.125.67.csv gw-in-f16.1e100.net,a,18.104.22.168 gw-in-f17.1e100.net,a,22.214.171.124 gw-in-f18.1e100.net,a,126.96.36.199 mail.miamichildrensmuseum.org,a,188.8.131.52 gw-in-f19.1e100.net,a,184.108.40.206 gmr-test.google.com,a,220.127.116.11 gw-in-f23.1e100.net,a,18.104.22.168 a.mx.systembrasil.com.br,a,22.214.171.124 alt2.aspmx.l.ipmgr.net,a,126.96.36.199 alt22.aspmx.l.google.com,a,188.8.131.52
Lets quickly see what other domains besides google.com are listed by filtering out google.com. You can also import this into a spreadsheet and filter your results with it.
#grep -v google.com 74.126.76.txt ...(trunckated) velure.info,a,184.108.40.206 youtube.ca,a,220.127.116.11 youtube.co.il,a,18.104.22.168 youtube.co.in,a,22.214.171.124 ...(truncated)
This technique has worked out great for me. I have the user agent set as a Yahoo crawler, but you can change the variable to anything you like.