Determining what domains are registered to a network is important to both attackers and defenders. Attackers have been performing DNS recon for years, but defenders generally do not use this technique. Why would we need to? We can just get a dump of the DNS database and search it. Well this only works for domains that you control, but users can point to your IP space with a different domain name and you would never know about it. This could be a legitimate subsidiary standing up a site, or it could be a rogue server “borrowing bandwidth”. Either way it’s better to know these things before attackers do.
I wrote a bash script (Tested on Ubuntu and OSX) to use the robtex’s website to determine what DNS names have been assigned to a specific network. Their website looks up DNS names based on class C networks. For class A and B networks, it will break them down into class c networks and query the site. The results are displayed to standard out in csv format.
Lets try this out on a Google subnet.
#nslookup google.com Name: google.com Address: 188.8.131.52 #./dns_recon.sh 74.125.67 >74.125.67.csv
The file looks like this.
#head 74.125.67.csv gw-in-f16.1e100.net,a,184.108.40.206 gw-in-f17.1e100.net,a,220.127.116.11 gw-in-f18.1e100.net,a,18.104.22.168 mail.miamichildrensmuseum.org,a,22.214.171.124 gw-in-f19.1e100.net,a,126.96.36.199 gmr-test.google.com,a,188.8.131.52 gw-in-f23.1e100.net,a,184.108.40.206 a.mx.systembrasil.com.br,a,220.127.116.11 alt2.aspmx.l.ipmgr.net,a,18.104.22.168 alt22.aspmx.l.google.com,a,22.214.171.124
Lets quickly see what other domains besides google.com are listed by filtering out google.com. You can also import this into a spreadsheet and filter your results with it.
#grep -v google.com 74.126.76.txt ...(trunckated) velure.info,a,126.96.36.199 youtube.ca,a,188.8.131.52 youtube.co.il,a,184.108.40.206 youtube.co.in,a,220.127.116.11 ...(truncated)
This technique has worked out great for me. I have the user agent set as a Yahoo crawler, but you can change the variable to anything you like.