DNS is one of great source of information which a penetration tester can gather. It has been found that most of the organisation assign DNS names based on the functionality of their organisation. Lets take example :
- An organisation sets its DNS of development web servers to be dev-server or betaServer.
- Organisation in US can use DNS with encryptUS
- Companies who use various firewall use names like fw-1,fireworks2
This all hints tester to get to know more about his target.
Well by default Nmap performs reverse-DNS resolution (rDNS) for every IP which is online.Nmap uses a custom stub resolver(a simple resolver handling all the DNS lookups for the system) which performs dozens of request parallel
There are some cool features which tester can use for refining its testing.
-n (No DNS resolution) Sometime it happens that you don't want to do reverse DNS resolution on your target IPs because stub resolver may make your scanning slow by sending dozens of request. So -n simple ignores DNS resolution.
See in below images, Nmap scans with and without -n
nmap -p 80 www.facebook.com
In above images we are simply doing Nmap scan on faecbook which is taking 0.90 seconds but when we used -n the result showed less time.
nmap -n -p 80 www.facebook.com
You may not find large difference in time taken between these scans while doing testing of single target but the time you are pentesting a large infrastructure, then you will find large time difference
-R (DNS resolution for all targets) By default Nmap performs reverse DNS resolution on active IPs or say hosts,but in order to do DNS resolution on all IPs whether online or offline we use -R.