From ConShell
Jump to navigation Jump to search

About Scavenge

Scavenge is a perl script to audit DNS records to find old, outdated and incorrect entries. It is able to enumerate the DNS namespace from forward (A) or reverse (PTR) direction. For instance, it can traverse a network range such as, discover all the PTR records for those IPs and also see which of them respond to an ICMP Ping.

Scavenging is a term associated with Microsoft DNS which supports active tracking and cleanup of stale records (but this capability must be enabled). I saw that BIND had no concept of this and the other tools I found (e.g. dnswalk) did not quite fit the bill -- I wanted a report of stale records which could be manually validated before deletion.

Keywords: dns, record, audit, cleanup, clean, scrub, purge, stale, mismatch, incorrect, outdated, scavenge, scavenger, scavenging, scour, remove, update, nsupdate, ptr, a, forward, reverse, zone, nmap, network

What does Scavenge find?

For each IP address in the range or hostname in the specified domain, it checks...

  • If the host is DOWN...
    • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports as Stale A
    • If the hostname provided above resolves to an A record which, in turn, does not match the original IP, it reports as Stale PTR+A
  • If the host is UP ...
    • If a PTR record is found and the hostname provided resolves to NXDOMAIN, it reports Missing A
    • If a PTR record is found and the hostname provided resolves, in turn, to an A record which does match the original IP, it reports Mismatch A
    • If a PTR record is not found it reports Missing PTR


scavenge [-r ip-range] [-d][-h]
 -r ip-range e.g.
               or '192.88-90.*.*'
 -d turn on debugging
 -h this help message
 Note that this command reads from STDIN unless -r is used. The input format
 should be the greppable-format produced by nmap -oG

Once installed, you can use the command perldoc scavenge to see more information.

Here is a snippet of actual output from the program auditing a small subnet.

 scavenge -r
 Down    Stale PTR+A => ( =>
 Up      Missing A => (DART-DB2707E9A5) => NXDOMAIN
 Down    Stale PTR+A => (f32-1605-PLP) =>
 Up      Mismatch A => ( =>
 Down    Stale PTR => ( => NXDOMAIN

As shown above, there is no host responding at, yet a PTR exists in DNS, as well as a corresponding A record for the PTR. Both records may likely be removed from DNS. On the other hand, is responding and has a PTR record, but the corresponding A record is not found - thus scavenge reports it as a Missing A. Finally, is responding and has a valid PTR record, but the corresponding A record points to a different IP address than we started with - thus reported as a Mismatch A.

Scavenge can also use the output from a previous run of nmap -sP <range> -oG <file> where file is the output in greppable (-oG) format. See nmap -h for more details about that.

Info.gif Running scavenge as non-root can lead to erroneous results about which hosts are really up.

Here's what Fyodor (author of nmap) had to say about that:

 You need to be root to send "real" ICMP pings (which is why the   
 ping app is setuid).  The Nmap workaround for nonroot users isn't 
 always as effective.

Not only that, but nmap seems to have some issues identifying "UP" hosts on local nets - see the bug report.


Scavenge is open source software licensed under the GPL.


Tarball Visit to find the latest source tarball


  • Scavenge can be found in the ports tree at dns/scavenge or installed using pkg_add -r scavenge
  • See the freshports page for more information.

Linux: Redhat, CentOS, SUSE, etc... (RPM)

Should work on most any RPM-based distribution as long as Net::DNS perl module is installed and nmap is available.

Visit to find various RPMS including the SRPM and SPEC file.

Linux: Debian, Ubuntu (DEB)

See the Scavenge Notes page for an explanation of using alien to generate a .deb package from the .rpm.

Nobody has yet added scavenge as a package for Debian or Ubuntu. Any volunteers? It is fairly simple thus a good starting point for someone to learn the ropes of DebianPackaging.


New and continuing users/developers of scavenge may consider mailing list.

Report bugs

Bug reports and feature requests can be added to the sourceforge site.

Known bugs

2015-03-16 - nmap stopped reporting DOWN hosts starting with 5.30? (ref). Add the -v flag to nmap incantation to fix. To be fixed in scavenge v2.1.

2005-06-20 - Multiple PTRs: if IP resolves to multiple PTR records, the following conditions apply:

 Host Up => 
 Host Down => only the first PTR encountered is evaluated and shown

2005-06-29 - Existence of a filename matching the wildcard causes failure.

 scavenge -r '172.16.100.*'
 Failed to resolve given hostname/IP: 172.16.100.txt.  Note that you can't use '/mask'
   AND '[1-4,7,100-]' style IP ranges
 WARNING: No targets were specified, so 0 hosts scanned.

So for example, a filename of 172.16.100.txt matched the above range, so it was interpolated by the shell and nmap didn't know what to do with it.

The Scavenge Notes page also talks about some bugs and known issues.


scavenge is a registered Sourceforge project. See

Thus, users and developers with a sourceforge account may contribute to the code, send in patches etc.


Scavenge needs nmap, perl 5.x or higher, and the [Net::DNS] perl module .

On Debian and Ubuntu these can be easily installed like so:

aptitude install nmap libnet-dns-perl

See Also