DNS discoveries allow you to scan assets without requiring authentication or any other specific configuration. However, they are not exhaustive and are relatively slow compared to authenticated discoveries.
If your IT infrastructure uses internal DNS zones that you wish to scan, for example those of an Active Directory domain controller, please make sure your Cyberwatch sources are configured to use them, which is generally the case with DHCP.
DNS enumeration
The DNS enumeration discovery takes a base domain name and searches for its subdomains. It uses two sources of data: a list of the most common subdomains, and the data published through Certificate Transparency.
The enumeration of the most common subdomains uses a dictionary, and generates in the order of 10 000 UDP requests to the DNS name servers, which takes a few minutes, but usually less than 10 minutes. The discovery will attempt to resolve each potential subdomain, and list the ones with an associated IP address. For example, with domain example.com
, the discovery will most likely find www.example.com
, smtp.example.com
and many other. However, subdomains specific to an organization will most likely remain undetected.
To enrich the list of possible subdomains, Cyberwatch provides a Certificate Transparency data lookup service to find subdomains for which a TLS certificate has been emitted. This mode will quickly list secured subdomains, but will not detect unsecured subdomains, or domains secured with a wildcard certificate.
By default, both modes are enabled, but you can disable the dictionary enumeration from the discovery configuration page to make the discovery much faster, though less comprehensive.
To create a DNS enumeration discovery:
Go to Discoveries, and click Add then DNS enumeration in the Domain names category.
In field Target, specify your base FQDN. Default search domains are not taken into account, so any relative domain name needs to be qualified by the user.
Click Confirm.
The discovery data will be processes in the background and the results available from Discoveries as soon the the task is complete.
Reverse DNS
It is conventional to associate to each IP a domain name to identify it, using PTR DNS records. They are queriable by issuing a reverse DNS lookup.
Reverse DNS discoveries will perform a reverse DNS lookup for each IP address in a range, and list all the IP addresses with an associated domain name as discovered assets.
To create an reverse DNS discovery:
- Go to Discoveries, and click Add then click Reverse DNS in the Reverse DNS category.
- Fill field Target with the IP range you wish to scan, for example
10.10.1.0/24
. - Click Confirm.
The discovery data will be processes in the background and the results available from Discoveries as soon the the task is complete.