Just the other day, Spamhaus was subject to a DDoS attack from an ISP who got upset at being blacklisted. That's par for the course, but what's interesting is that the ISP used a DNS amplification to boost their DDoS capabilities. Lately at work we've been working on shutting down our open DNS proxies. Once upon a time, on the naive Internet, they were fine. But as evidenced by this latest attack, such is not the case any longer.
Shutting down the DNS servers we knew about was easy, of course. But what about the ones we didn't know of? Well that's where a handy port scanner comes into play. There are a number of DNS scanners out there but I found them all lacking in some regard. So I whipped up my own.
I had just a few requirements:
- Recursive DNS query
- Easily parseable text output
- Multithreaded. Non-blocking sockets would have been awesome too, but this worked well enough so I didn't go there.
Overall, very satisfied. With 60 threads it chews up a ridiculous amount of RAM (about 700MB), but can scan a /18 in 30 minutes. Better than the 800 minutes a single threaded app would take.
Usage: dns-scan.pl [options] [CIDR block] --threads  - how many threads to use --quiet - don't print anything --timeout  - how many seconds to wait before assuming the port is closed --search [www.google.com] - what domain to use in the DNS search.