Scavenge

From ConShell
Jump to: navigation, search

Contents

About Scavenge

Keywords: dns, records, audit, cleanup, clean, stale, mismatch, incorrect, outdated, scavenge, scavenger, scavenging, scour, remove, update, nsupdate, ptr, a, forward, reverse, zone, nmap, network

Scavenge is a program to find old, outdated and incorrect DNS records. It's current method is to enumerate a network range such as 10.1.0.0/16. So it looks at the namespace from the reverse (PTR) perspective. The newest version 2.x (see below) supports interrogation from the forward perspective.

DNS Scavenging is a term commonly used with Microsoft DNS which supports active tracking and cleanup of stale records (when enabled). I realized the BIND had no concept of this and the other tools I found (e.g. dnswalk) did not quite fit the bill -- I wanted a report of stale records which could be manually validated before deletion.


What does Scavenge find?

For each IP in the range it checks...

  • If the host is DOWN...
    • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports as Stale A
    • If the hostname provided above resolves to an A record which, in turn, does not match the original IP, it reports as Stale PTR+A
  • If the host is UP ...
    • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports Missing A
    • If a PTR record is found and the hostname provided resolves, in turn, to an A record which does match the original IP, it reports Mismatch A
    • If a PTR record is not found it reports Missing PTR

Usage

scavenge [-r ip-range] [-d][-h]
 -r ip-range e.g. 192.168.0.1-255
               or 192.168.0.0/16
               or 192.168.0.0/24
               or '192.88-90.*.*'
 -d turn on debugging
 -h this help message
 
 Note that this command reads from STDIN unless -r is used. The input format
 should be the greppable-format produced by nmap -oG

Once installed, you can use the command perldoc scavenge to see more information.

Here is a snippet of actual output from the program auditing a small subnet.

 scavenge -r 10.1.253.0/24
 ...
 Down    Stale PTR+A     10.1.253.130 => (f32-1952-kr4.example.org) => 10.1.253.130
 Up      Missing A       10.1.253.131 => (DART-DB2707E9A5) => NXDOMAIN
 Down    Stale PTR+A     10.1.253.132 => (f32-1605-PLP) => 10.1.253.132
 Up      Mismatch A      10.1.253.137 => (f32-1910-GJV.example.org) => 10.1.249.106
 Down    Stale PTR       10.1.253.138 => (p6j.example.com) => NXDOMAIN
 ...

As shown above, there is no host responding at 10.1.253.130, yet a PTR exists in DNS, as well as a corresponding A record for the PTR. Both records may likely be removed from DNS. On the other hand, 10.1.253.131 is responding and has a PTR record, but the corresponding A record is not found - thus scavenge reports it as a Missing A. Finally, 10.1.253.237 is responding and has a valid PTR record, but the corresponding A record points to a different IP address than we started with - thus reported as a Mismatch A.

Scavenge can also use the output from a previous run of nmap -sP <range> -oG <file> where file is the output in greppable (-oG) format. See nmap -h for more details about that.


info.gif Running scavenge as non-root can lead to erroneous results about which hosts are really up.

Here's what Fyodor (author of nmap) had to say about that:

 You need to be root to send "real" ICMP pings (which is why the   
 ping app is setuid).  The Nmap workaround for nonroot users isn't 
 always as effective.

Not only that, but nmap seems to have some issues identifying "UP" hosts on local nets - see the bug report.


License

Scavenge is open source software licensed under the GPL.

Downloads

Tarball Visit https://sourceforge.net/projects/scavenge/files to find the latest source tarball

FreeBSD

  • Scavenge can be found in the ports tree at dns/scavenge or installed using pkg_add -r scavenge
  • See the freshports page for more information.

Linux: Redhat, CentOS, SUSE, etc... (RPM)

Should work on most any RPM-based distribution as long as Net::DNS perl module is installed and nmap is available.

Visit https://sourceforge.net/projects/scavenge/files to find various RPMS including the SRPM and SPEC file.

Linux: Debian, Ubuntu (DEB)

See the ScavengeNotes page for an explanation of using alien to generate a .deb package from the .rpm.

Nobody has yet added scavenge as a package for Debian or Ubuntu. Any volunteers? It is fairly simple thus a good starting point for someone to learn the ropes of DebianPackaging.

Discussion

New and continuing users/developers of scavenge may consider scavenge-users@lists.sourceforge.net mailing list.

Report bugs

Bug reports and feature requests can be added to the sourceforge site.

Known bugs

2005-06-20 - Multiple PTRs: if IP resolves to multiple PTR records, the following conditions apply:

 Host Up => 
 Host Down => only the first PTR encountered is evaluated and shown

2005-06-29 - Existence of a filename matching the wildcard causes failure.

 scavenge -r '172.16.100.*'
 Failed to resolve given hostname/IP: 172.16.100.txt.  Note that you can't use '/mask'
   AND '[1-4,7,100-]' style IP ranges
 WARNING: No targets were specified, so 0 hosts scanned.

So for example, a filename of 172.16.100.txt matched the above range, so it was interpolated by the shell and nmap didn't know what to do with it.

The Scavenge Notes page also talks about some bugs and known issues.

Development

scavenge is a registered Sourceforge project. See https://sourceforge.net/projects/scavenge/

Thus, users and developers with a sourceforge account may contribute to the code, send in patches etc.

Requirements

Scavenge needs nmap, perl 5.x or higher, and the [Net::DNS] perl module .

On Debian and Ubuntu these can be easily installed like so:

aptitude install nmap libnet-dns-perl


See Also

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox