Keywords: dns, records, audit, cleanup, clean, stale, mismatch, incorrect, outdated, scavenge, scavenger, scavenging, scour, remove, update, nsupdate, ptr, a, forward, reverse, zone, nmap, network
Scavenge is a program to audit for old, stale and incorrect DNS records. It is able to enumerate the DNS namespace from forward (A) or reverse (PTR) vector. For instance, it can walk a network range such as 10.1.0.0/16, discover all the PTR records for those IPs and also see which of them respond to an ICMP Ping.
Scavenging is a term associated with Microsoft DNS which supports active tracking and cleanup of stale records (but this capability must be enabled). I saw that BIND had no concept of this and the other tools I found (e.g. dnswalk) did not quite fit the bill -- I wanted a report of stale records which could be manually validated before deletion.
What does Scavenge find?
For each IP in the range it checks...
- If the host is DOWN...
- If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports as Stale A
- If the hostname provided above resolves to an A record which, in turn, does not match the original IP, it reports as Stale PTR+A
- If the host is UP ...
- If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports Missing A
- If a PTR record is found and the hostname provided resolves, in turn, to an A record which does match the original IP, it reports Mismatch A
- If a PTR record is not found it reports Missing PTR
scavenge [-r ip-range] [-d][-h] -r ip-range e.g. 192.168.0.1-255 or 192.168.0.0/16 or 192.168.0.0/24 or '192.88-90.*.*' -d turn on debugging -h this help message Note that this command reads from STDIN unless -r is used. The input format should be the greppable-format produced by nmap -oG
Once installed, you can use the command perldoc scavenge to see more information.
Here is a snippet of actual output from the program auditing a small subnet.
scavenge -r 10.1.253.0/24 ... Down Stale PTR+A 10.1.253.130 => (f32-1952-kr4.example.org) => 10.1.253.130 Up Missing A 10.1.253.131 => (DART-DB2707E9A5) => NXDOMAIN Down Stale PTR+A 10.1.253.132 => (f32-1605-PLP) => 10.1.253.132 Up Mismatch A 10.1.253.137 => (f32-1910-GJV.example.org) => 10.1.249.106 Down Stale PTR 10.1.253.138 => (p6j.example.com) => NXDOMAIN ...
As shown above, there is no host responding at 10.1.253.130, yet a PTR exists in DNS, as well as a corresponding A record for the PTR. Both records may likely be removed from DNS. On the other hand, 10.1.253.131 is responding and has a PTR record, but the corresponding A record is not found - thus scavenge reports it as a Missing A. Finally, 10.1.253.237 is responding and has a valid PTR record, but the corresponding A record points to a different IP address than we started with - thus reported as a Mismatch A.
Scavenge can also use the output from a previous run of nmap -sP <range> -oG <file> where file is the output in greppable (-oG) format. See nmap -h for more details about that.
Running scavenge as non-root can lead to erroneous results about which hosts are really up.
Here's what Fyodor (author of nmap) had to say about that:
You need to be root to send "real" ICMP pings (which is why the ping app is setuid). The Nmap workaround for nonroot users isn't always as effective.
Not only that, but nmap seems to have some issues identifying "UP" hosts on local nets - see the bug report.
Scavenge is open source software licensed under the GPL.
Tarball Visit https://sourceforge.net/projects/scavenge/files to find the latest source tarball
- Scavenge can be found in the ports tree at dns/scavenge or installed using pkg_add -r scavenge
- See the freshports page for more information.
Linux: Redhat, CentOS, SUSE, etc... (RPM)
Should work on most any RPM-based distribution as long as Net::DNS perl module is installed and nmap is available.
Visit https://sourceforge.net/projects/scavenge/files to find various RPMS including the SRPM and SPEC file.
Linux: Debian, Ubuntu (DEB)
See the Scavenge Notes page for an explanation of using alien to generate a .deb package from the .rpm.
Nobody has yet added scavenge as a package for Debian or Ubuntu. Any volunteers? It is fairly simple thus a good starting point for someone to learn the ropes of DebianPackaging.
New and continuing users/developers of scavenge may consider email@example.com mailing list.
Bug reports and feature requests can be added to the sourceforge site.
2015-03-16 - nmap stopped reporting DOWN hosts starting with 5.30? (ref). Add the -v flag to nmap incantation to fix. To be fixed in scavenge v2.1.
2005-06-20 - Multiple PTRs: if IP resolves to multiple PTR records, the following conditions apply:
Host Up => Host Down => only the first PTR encountered is evaluated and shown
2005-06-29 - Existence of a filename matching the wildcard causes failure.
scavenge -r '172.16.100.*' Failed to resolve given hostname/IP: 172.16.100.txt. Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges WARNING: No targets were specified, so 0 hosts scanned.
So for example, a filename of 172.16.100.txt matched the above range, so it was interpolated by the shell and nmap didn't know what to do with it.
The Scavenge Notes page also talks about some bugs and known issues.
scavenge is a registered Sourceforge project. See https://sourceforge.net/projects/scavenge/
Thus, users and developers with a sourceforge account may contribute to the code, send in patches etc.
aptitude install nmap libnet-dns-perl