Scavenge Notes

Scavenge appears to be quite similar to another tool called dlint. More information about dlint can be found here. The obvious differences are that scavenge is written in perl and does active discovery, while dlint is written in shell code and looks at forward and reverse zones.

Another very similar but commercial application is DNS Audit by Solar Winds.

DNS Audit will scan a range of IP Addresses and perform a reverse DNS lookup for each address. If it receives a DNS response for an address, it will then do a forward DNS lookup and verify that the forward and reverse DNS records match.

It provides audit reports in different formats, but unfortunately it is quite costly (as part of a larger suite) and it only runs on Windows.

Smurfs

Noticed recently (2006-10-18) that besides Up and Down there may sometimes be Smurf in the nmap output, which can result in a weird line of output...

Smurf   Missing PTR     192.168.1.255 => () =>

Obviously misleading since having a PTR for a broadcast IP address is not usually done.

(TODO) Squish false-positive Mismatch PTRs?

So there is a situation that can occur when you have an A record and multiple PTR records that needs to be worked out. Here is an example (from scavenge -f)

Up      Mismatch PTR    ns2.foster.dmz => (192.168.1.2) => horton.foster.dmz,ns2.foster.dmz

I think it would be better to NOT produce a Mismatch PTR if any of the PTRs for 192.168.1.2 contain the original A record (ns2.foster.dmz).

CNAME issues

Scavenge does not look at CNAMEs although it could. A simple dereference of a CNAME could reveal whether the value exists in DNS, whether as an A record, or another CNAME. Recursive checking would probably be much more difficult & problematic.

Telltale signs you have DNS corruption

If you see this type of statement in your logfiles, you may find scavenge can help!

 May 25 15:05:39 lu04 rpc.mountd: Fake hostname port-1ei53saypm for 10.4.12.31 - forward lookup doesn't exist

Conversion to DEB format using Alien

I use alien to convert from the RPM to DEB format, however the dependency on Net::DNS seems to have been lost in the translation. In any case, quick-fixed by doing aptitude install libnet-dns-perl.

 jetson:~/tmp# alien -v -d scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{SUMMARY} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{POSTIN} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{NAME} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{POSTUN} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{PREUN} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{RELEASE} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{PREFIXES} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{CHANGELOGTEXT} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{COPYRIGHT} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{DESCRIPTION} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{ARCH} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{VERSION} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qp --queryformat %{PREIN} scavenge-1.3-1.i386.rpm
       LANG=C rpm -qcp scavenge-1.3-1.i386.rpm
       rpm -qpi scavenge-1.3-1.i386.rpm
       LANG=C rpm -qpl scavenge-1.3-1.i386.rpm
       mkdir scavenge-1.3
       chmod 755 scavenge-1.3
       rpm2cpio scavenge-1.3-1.i386.rpm | (cd scavenge-1.3; cpio --extract --make-directories --no-absolute-filenames --preserve-modification-time) 2>&1
       find scavenge-1.3 -type d -perm 775 -print0 | xargs --no-run-if-empty -0 chmod 755
       chown 0:0 scavenge-1.3//usr/local/sbin/scavenge
       chmod 755 scavenge-1.3//usr/local/sbin/scavenge
       mkdir scavenge-1.3/debian
       hostname -f
       822-date
       hostname -f
       822-date
       chmod 755 scavenge-1.3/debian/rules
       debian/rules binary 2>&1 scavenge_1.3-2_i386.deb generated
       find scavenge-1.3 -type d -exec chmod 755 {} ;
       rm -rf scavenge-1.3

jetson:~/tmp# dpkg -i scavenge_1.3-2_i386.deb
Selecting previously deselected package scavenge.
(Reading database ... 84208 files and directories currently installed.)
Unpacking scavenge (from scavenge_1.3-2_i386.deb) ...
Setting up scavenge (1.3-2) ...

jetson:~/tmp# dpkg -L scavenge
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/scavenge
/usr/share/doc/scavenge/copyright
/usr/share/doc/scavenge/changelog.Debian.gz
/usr/local
/usr/local/sbin
/usr/local/sbin/scavenge

jetson:~/tmp# /usr/local/sbin/scavenge -r 10.1.253.12-15
Can't locate Net/DNS.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.7  /usr/local/share/perl/5.8.7 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .) at /usr/local/sbin/scavenge line 9.
BEGIN failed--compilation aborted at /usr/local/sbin/scavenge line 9.