Scan result difference and text output

Question

Scan result difference and text output

Vincent-Millane opened this issue 2 years ago · 7 comments

Hello,

Thank you for your work.

I am testing dnscan to find some valid domains with all existing tlds.
But for domains that I checked by hand for which I found several hundred matches dnsscan found me only 16 with the command.

./dnscan.py -d example -R 1.1.1.1 -T --output example_domains.txt

then

with my DNS server (DNSSEC active)

 python3 dnscan.py -d google -R 127.0.0.1 -T --output google_domains.txt

 python3 dnscan.py -d google -R 1.1.1.1 -T --output google_domains.txt

I have 286 domains on the screen but the google_domains.txt file contains:

[] Processing domain google
[] Using specified resolvers: 1.1.1.1
[+] TLD Scan

With the command

 python3 dnscan.py -d google -R 1.1.1.1 -T > google_domains.txt

My file is well populated but with several line breaks like this
...
google.ac - ns1.google.com

google.af - ns1.google.com

google.aero - ns1.101domain.com

google.ad - ns1.google.com
...

NS outputs are not useful to me and will generate a workload.

What are the tips to understand to help me?
Thank you for your help.
__

Answer 1 · 2022-05-21T17:46:30.000Z

Good spot, the TLD results are missing in the output. That should be fixed in 7839c2b.

Answer 2 · 2022-05-21T21:23:57.000Z

Thanks it works much better.

Except that I still have a scan problem, the script detects 18 tlds whereas by hand (1 by 1) being on a source that does not have all the tlds, I found 163 matching tlds.

An idea ?

Answer 3 · 2022-05-21T21:25:13.000Z

for extole...

Answer 4 · 2022-05-21T21:44:15.000Z

Is this when you're running dnscan -T -d google, or some other command?

It's possible your traffic is getting dropped by the DNS server, so try reducing the threads with -t 2 and see if that makes any difference.

Answer 5 · 2022-05-21T22:29:39.000Z

I am trying
By the way, can dnscan detect tlds that are in "Pre-register" mode?
Do I count them since they can be in production at any time?
The difference could be explained as follows.

Answer 6 · 2022-05-22T08:25:25.000Z

Dnscan looks to see if the domain has any NS records - because if it doesn't then it's not really usable on the public Internet. Of course, the fact that it has NS records doesn't necessarily mean that it has any A records, so you may get domains that don't resolve.

Answer 7 · 2022-05-22T19:13:04.000Z

I tested dnscan with different options with no better results.
I tested DNSrecon which gave me more results.
I documented myself on the Icann site which indicates that the sites are pre-reserved and will be allocated on a kind of fifo or auction between candidates.
If you have better information or utilities to share with me, I will be happy to hear from you.
My PM is on my profile.