Don't Forget The "-n" Command Line Switch

    Published: 2025-08-21. Last Updated: 2025-08-21 06:13:16 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    A lot of people like the command line, the CLI, the shell (name it as you want) because it provides a lot of powerful tools to perform investigations. The best example is probably parsing logs! Even if we have SIEM to ingest and process them, many people still fall back to the good old suite of grep, cut, awk, sort, uniq, and many more.

    They are also many tools that help to process network data like PCAP files or more log files. Most of them offer plenty of command line switches to change their behavior but there is one that remain interesting to use in some cases: the “-n”!

    If there is not standardization of command line switches, many tools use “-n” in the same way: It disables DNS resolution of IP addresses. The following tools have this switch:

    • tcpdump
    • tshark
    • ngrep
    • iftop
    • nethogs
    • nmap
    • masscan
    • arping
    • ping
    • netstat
    • ss
    • lsof
    • fuser
    • conntrack
    • iptables
    • ip
    • route

    They are probable many more!

    The risk is the following: If a tool tries to resolve an IP address into its FQDN (Fully Qualified Domain Name), and if the PTR[1] record is delegated to the attacker, he or she may become aware that investigations against the infrastructure are ongoing. Some ISPs implement sub-delegation[2] of reverse DNS to their customers. This means that PTR records can be managed by customers and they could log attempts to resolve in-addr.arpa records! 

    Example:

    $ dig -x 23.30.39.252 @192.168.254.8

; <<>> DiG 9.10.6 <<>> -x 23.30.39.252 @192.168.254.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19658
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;252.39.30.23.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
252.39.30.23.in-addr.arpa. 3582    IN    PTR    23-30-39-252-static.hfc.comcastbusiness.net.

;; Query time: 8 msec
;; SERVER: 192.168.254.8#53(192.168.254.8)
;; WHEN: Thu Aug 21 08:01:45 CEST 2025
;; MSG SIZE  rcvd: 111

    The DNS resolver handling PTR records for this zone will log:

    21-Aug-2025 08:01:45.856 queries: info: client @0x7fd5287c0688 192.168.254.218#64869 (252.39.30.23.in-addr.arpa): query: 252.39.30.23.in-addr.arpa IN PTR +E(0) (192.168.254.8)

    The attacker knows that his/her IP address is being investigated and your IP address can also be disclosed (another good reason to always use a dedicated/anonymous system)

    Note that the opposite is also dangerous. Imagine you find a script containing an arrary of three domains:

    c2 = [ "domain1.top", "domain2.xyz", "domain3.cx" ]

    You can be tempted to resolve all domains but only the last one is the effective C2 server and the others are decoys. The malware should never use them. If you try to resolve them and the attacker controls the primary domain, you'll be spotted!

    [1] https://www.nslookup.io/learning/dns-record-types/ptr/
    [2] https://simpledns.plus/kb/77-how-to-sub-delegate-a-reverse-zone-ipv4

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    Keywords: DNS FQDN PTR Resolver
    0 comment(s)
    ISC Stormcast For Thursday, August 21st, 2025 https://isc.sans.edu/podcastdetail/9580

      Comments

      Login here to join the discussion.


      Diary Archives