> I suggest that you re-read RFC 1034 and RFC 1035. A empty
> node returns NOERROR. A non-existant node returns NXDOMAIN
> (Name Error).Right. This means depth-first walk, which will reduce the *possible*
address space to probe, but that is the antithesis of traditional scanning
(which is often at least partly stochastic). To a worm, the benefit of
stochastic scanning is that no collaboration between infected hosts is
needed; but with a walking traversal, you have to have some kind of
statekeeping if the walk search is not intended to take ~forever.I can see this vector as being useful for scanning within some specific
organization's subnet, but even then, you'll need some kind of collaboration
with NDP solicitations for most internal setups. Stateless autoconfig, for
instance, is unscannable without listening for NDP at the same time -- and
from a remote network, you can basically forget it.
And I expect that machines using stateless autoconfig will
update their forward and reverse records in the DNS. The
reasons for doing this are independent of the mechanism of
address assignment. Too many services will not work unless
there is a valid PTR / address combination.