Finding unused IP addresses and invalid DNS entries

The method used in the example below will not help eliminate all invalid DNS entries or find IPs that are live yet unused, however, it will provide a fairly efficient means of finding unused IPs that are not pingable at the moment and provide a list of potentially invalid reverse lookup entries which in turn would also give you clues you need to start looking for invalid A records, etc.

For this example I am going to assume we want to find unused IP addresses and potentially invalid DNS entries for the network range 192.168.1.1-100

From the prompt of your linux host with nmap installed run:

nmap -v -sP 192.168.1.1-100|grep down |for i in `awk '{print $2}'`;do host $i;done

  • nmap -v -sP 192.168.1.1-100 performs ping scan and returns status for specified range
  • grep down - filters the list to only return non-pingable hosts
  • for i in `awk '{print $2}'` - filters the list further to only return the IP addresses in a loop to do the host [ip address] lookup for each IP returned

One could easily substitute host with nslookup or dig but I chose host to streamline the output for readability.

Bottom line is that if you see output similar to the following:

Host 5.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

Then you can probably safely use 192.168.1.5 for a new device and DNS entry although it would be safer to scan the DNS table by IP for forward lookup entries first.

On the other hand, if you see output similar to:

5.1.168.192.in-addr.arpa domain name pointer name.domain.com

Then you most likely have a system that is shutdown at the moment which uses that address or an invalid/outdated DNS entry to clean up.

One could easily schedule this command to run with cron and send output to an email or ticketing system for regularly scheduled DNS maintenance

No comments: