1

I am using Tcpdump to read packets sent by nmap. I want to totally disable reverse DNS, so I don't have any packets that look like:

<host>.<port> > _gateway.domain: . . . *.*.*.*.in-addr.arpa. (data_length)

However if I set the -n flag in foreign scans:

nmap -p <port> -n <foreign_ip_address>

[ in a separate terminal window: sudo tcpdump -vi <local_interface> ]

nmap -sn <foreign_ip_address>

[ in a separate terminal window: sudo tcpdump -vi <local_interface> ] Or local scans:

nmap -p <port> -n <local_ip_address>/<subnet_mask_length>

[ in a separate terminal window: sudo tcpdump -vi <local_interface> ]

nmap -sn <local_ip_address>/<subnet_mask_length>

[ in a separate terminal window: sudo tcpdump -vi <local_interface> ]

Tcpdump says it is still sending a lot of requests for reverse DNS lookup.

There should be a way for me to totally disable this, right?

zeroclaim
  • 21

2 Answers2

1

The -n option disables reverse dns lookups for the tcpdump tool which results in host address and port numbers that tcpdump prints being in numeric form.

However, this doesn't remove reverse dns lookups from the packet stream that tcpdump sees, which may be sourced by other programs!

You can't "totally disable reverse dns" with tcpdump, as it isn't tcpdump's job to prevent other programs from doing that. If you think tcpdump output is "telling you what tcpdump [...] is sending" then you misunderstand what this tool does. The tcpdump tool doesn't intentionally send anything (although reverse dns lookups could be sent as a side effect).

If there are particular things in the tcpdump output that you consider noise and just don't want to see, you need to give tcpdump the right filters so that it ignores it. (For example, not port dns)

user10489
  • 2,081
0

Whoops, I waited longer after running tcpdump in the "control case" and no, the queries don't have anything to do with nmap, they're running in the background.

zeroclaim
  • 21