o [NSE] Added support for edns-client-subnet requests to the DNS library and

the script dns-client-subnet-scan that scans for addresses resolved from
  different subnets. [John Bond]

nselib/dns.lua

@@ -244,6 +244,11 @@ end
 -- * <code>multiple</code>: If true, expects multiple hosts to respond to multicast request
 -- * <code>flags</code>: numeric value to set flags in the DNS query to a specific value
 -- * <code>id</code>: numeric value to use for the DNS transaction id
+-- * <code>nsid</code>: If true, queries the server for the nameserver identifier (RFC 5001)
+-- * <code>subnet</code>: table, if set perform a edns-client-subnet lookup. The table should contain the fields:
+--                        <code>family</code> - string can be either inet or inet6
+--                        <code>address</code> - string containing the originating subnet IP address
+--                        <code>mask</code> - number containing the number of subnet bits 
 -- @return <code>true</code> if a dns response was received and contained an answer of the requested type,
 --  or the decoded dns response was requested (retPkt) and is being returned - or <code>false</code> otherwise.
 -- @return String answer of the requested type, table of answers or a String error message of one of the following:
@@ -284,15 +289,21 @@ function query(dname, options)
     addQuestion(pkt, dname, dtype, class)
     if options.norecurse then pkt.flags.RD = false end
 
-	if ( options.dnssec ) then
+    local dnssec = {}
-		if ( options.nsid ) then
+    if ( options.dnssec ) then
-			addNSID(pkt, {DO = true})
+        dnssec = { DO = true }
-		else
+    end
-			addOPT(pkt, {DO = true})
+
-		end
+    if ( options.nsid ) then
-	elseif ( options.nsid ) then
+        addNSID(pkt, dnssec)
-		addNSID(pkt, {})
+    elseif ( options.subnet ) then
-	end
+		local family = { ["inet"] = 1, ["inet6"] = 2 }
+		assert( family[options.subnet.family], "Unsupported subnet family")
+		options.subnet.family = family[options.subnet.family]
+        addClientSubnet(pkt, dnssec, options.subnet )
+    elseif ( dnssec.DO ) then
+        addOPT(pkt, {DO = true})
+    end
 
 	if ( options.flags ) then pkt.flags.raw = options.flags end
 	if ( options.id ) then pkt.id = options.id end
@@ -1296,11 +1307,34 @@ local function encodeOPT_Z(flags)
     return table.concat(bits)
 end
 
+---
+-- Adds an client-subnet paylod to the OPT packet
+-- implementing http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-00
+-- @param pkt Table representing DNS packet.
+-- @param Z Table of Z flags. Only DO is supported.
+-- @param client_subnet table containing the following fields
+--        <code>family</code>  - 1 IPv4, 2 - IPv6
+--        <code>mask</code>    - byte containing the length of the subnet mask
+--        <code>address</code> - string containing the IP address 
+function addClientSubnet(pkt,Z,subnet)
+	local udp_payload_size = 4096
+	local code = 20730 -- temporary option-code http://comments.gmane.org/gmane.ietf.dnsext/19776
+	local scope_mask = 0 -- In requests, it MUST be set to 0 see draft
+	local data = bin.pack(">SCCA",subnet.family or 1,subnet.mask,scope_mask,ipOps.ip_to_str(subnet.address))
+	local opt = bin.pack(">SS",code, #data) .. data
+	addOPT(pkt,Z,opt)  
+end
+
+---
+-- Adds an NSID paylod to the OPT packet
+-- @param pkt Table representing DNS packet.
+-- @param Z Table of Z flags. Only DO is supported.
 function addNSID (pkt,Z)
 	local udp_payload_size = 4096
 	local opt = bin.pack(">SS",3, 0) -- nsid data
 	addOPT(pkt,Z,opt)  
 end
+
 ---
 -- Adds an OPT RR to a DNS packet's additional section. Only the table of Z
 -- flags is supported (i.e., not RDATA). See RFC 2671 section 4.3.

scripts/dns-client-subnet-scan.nse

@@ -0,0 +1,353 @@
+description = [[
+Performs a domain lookup using the edns-client-subnet [1] option that adds
+support for adding subnet information to the query in regards to where the
+query is originating from. The script uses this option to supply a number of
+geographically distributed locations in an attempt to enumerate as many
+different address records as possible. The script also supports requests using
+a given subnet.
+
+[1]http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-00
+]]
+
+---
+-- @usage
+--   nmap -sU -p 53 --script dns-client-subnet-scan  --script-args \
+--     dns-client-subnet-scan.domain=www.example.com, \
+--     dns-client-subnet-scan.address=192.168.0.1 \
+--     [,dns-client-subnet.nameserver=8.8.8.8] \
+--     [,dns-client-subnet.mask=24] <target>
+--   nmap --script dns-client-subnet-scan --script-args \
+--     dns-client-subnet-scan.domain=www.example.com, \
+--     dns-client-subnet-scan.address=192.168.0.1 \
+--     dns-client-subnet.nameserver=8.8.8.8, \
+--     [,dns-client-subnet.mask=24]
+--
+-- @output
+-- 53/udp open  domain  udp-response
+-- | dns-client-subnet-scan: 
+-- | www.google.com
+-- |   1.2.3.4
+-- |   5.6.7.8
+-- |   9.10.11.12
+-- |   13.14.15.16
+-- |   .
+-- |   .
+-- |_  .
+---
+-- @args dns-client-subnet.domain The domain to lookup eg. www.example.org
+-- @args dns-client-subnet.address The client subnet address to use
+-- @args dns-client-subnet.mask [optional] The number of bits to use as subnet mask (default: 24)
+-- @args dns-client-subnet.nameserver [optional] nameserver to use.  (default = host.ip)
+--
+
+author = "John Bond"
+license = "Simplified (2-clause) BSD license--See http://nmap.org/svn/docs/licenses/BSD-simplified"
+categories = {"discovery", "safe"}
+
+require "stdnse"
+require "shortport"
+require "dns"
+
+local argNS = stdnse.get_script_args(SCRIPT_NAME .. '.nameserver')
+local argDomain = stdnse.get_script_args(SCRIPT_NAME .. '.domain')
+local argMask = stdnse.get_script_args(SCRIPT_NAME .. '.mask') or 24
+local argAddr = stdnse.get_script_args(SCRIPT_NAME .. '.address')
+
+prerule = function()
+	if ( not(argDomain) or nmap.address_family() ~= "inet" ) then
+		return false
+	end
+	return true
+end
+
+portrule = function()
+	if ( nmap.address_family() ~= "inet" ) then
+		return false
+	else
+		return shortport.port_or_service(53, "domain", {"tcp", "udp"})
+	end
+end
+
+local areaIPs = {
+	A4 = {ip=47763456, desc="GB,A4,Bath"},
+	A5 = {ip=1043402336, desc="GB,A5,Biggleswade"},
+	A6 = {ip=1364222182, desc="FR,A6,Ch<43>vremont"},
+	A7 = {ip=35357952, desc="GB,A7,Birmingham"},
+	A8 = {ip=1050694009, desc="FR,A8,Romainville"},
+	A9 = {ip=534257152, desc="FR,A9,Montpellier"},
+	AB = {ip=2156920832, desc="CA,AB,Edmonton"},
+	AK = {ip=202125312, desc="US,AK,Anchorage"},
+	B1 = {ip=1041724648, desc="FR,B1,Robert"},
+	B2 = {ip=35138048, desc="GB,B2,Bournemouth"},
+	B3 = {ip=33949696, desc="FR,B3,Toulouse"},
+	B4 = {ip=1050704998, desc="FR,B4,Lomme"},
+	B5 = {ip=35213312, desc="GB,B5,Wembley"},
+	B6 = {ip=773106752, desc="FR,B6,Amiens"},
+	B7 = {ip=35148800, desc="GB,B7,Bristol"},
+	B8 = {ip=786088496, desc="FR,B8,Valbonne"},
+	B9 = {ip=33753088, desc="FR,B9,Lyon"},
+	BC = {ip=201674096, desc="CA,BC,Victoria"},
+	C1 = {ip=522223616, desc="FR,C1,Strasbourg"},
+	C2 = {ip=41598976, desc="GB,C2,Halifax"},
+	C3 = {ip=534676272, desc="GB,C3,Cambridge"},
+	C5 = {ip=1043410032, desc="GB,C5,Runcorn"},
+	C6 = {ip=773987544, desc="GB,C6,Saltash"},
+	C7 = {ip=35165184, desc="GB,C7,Coventry"},
+	C8 = {ip=35248128, desc="GB,C8,Croydon"},
+	C9 = {ip=1892301824, desc="PH,C9,Iloilo"},
+	D1 = {ip=35414016, desc="GB,D1,Darlington"},
+	D2 = {ip=35164672, desc="GB,D2,Derby"},
+	D3 = {ip=35301376, desc="GB,D3,Chesterfield"},
+	D4 = {ip=1043450424, desc="GB,D4,Barnstaple"},
+	D5 = {ip=2036385792, desc="PH,D5,Legaspi"},
+	D7 = {ip=41451520, desc="GB,D7,Dudley"},
+	D8 = {ip=35279104, desc="GB,D8,Durham"},
+	D9 = {ip=460228608, desc="PH,D9,Manila"},
+	DC = {ip=68514448, desc="US,DC,Washington"},
+	E1 = {ip=1040645056, desc="GB,E1,Beverley"},
+	E2 = {ip=35206912, desc="GB,E2,Brighton"},
+	E3 = {ip=47822848, desc="GB,E3,Enfield"},
+	E4 = {ip=39874560, desc="GB,E4,Colchester"},
+	E5 = {ip=35270656, desc="GB,E5,Gateshead"},
+	E6 = {ip=1368606720, desc="GB,E6,Coleford"},
+	E7 = {ip=1051376056, desc="GB,E7,Woolwich"},
+	E8 = {ip=1044737528, desc="GB,E8,Hackney"},
+	F1 = {ip=1043451648, desc="GB,F1,Hammersmith"},
+	F2 = {ip=35176448, desc="GB,F2,Basingstoke"},
+	F4 = {ip=47998976, desc="GB,F4,Harrow"},
+	F5 = {ip=1040622704, desc="GB,F5,Hart"},
+	F6 = {ip=35230720, desc="GB,F6,Romford"},
+	F8 = {ip=35214848, desc="GB,F8,Watford"},
+	F9 = {ip=41693184, desc="GB,F9,Uxbridge"},
+	G1 = {ip=41437184, desc="GB,G1,Hounslow"},
+	G2 = {ip=35188224, desc="GB,G2,Ryde"},
+	G3 = {ip=41861120, desc="GB,G3,Islington"},
+	G4 = {ip=1040704992, desc="GB,G4,Kensington"},
+	G5 = {ip=41506816, desc="GB,G5,Ashford"},
+	G6 = {ip=786894336, desc="GB,G6,Hull"},
+	G8 = {ip=40112128, desc="GB,G8,Huddersfield"},
+	G9 = {ip=1380217968, desc="GB,G9,Knowsley"},
+	H1 = {ip=1044731464, desc="GB,H1,Lambeth"},
+	H2 = {ip=3512017264, desc="GB,H2,Earby"},
+	H3 = {ip=35221504, desc="GB,H3,Leeds"},
+	H4 = {ip=35158016, desc="GB,H4,Leicester"},
+	H5 = {ip=1043402716, desc="GB,H5,Loughborough"},
+	H6 = {ip=41732608, desc="GB,H6,Catford"},
+	H7 = {ip=41863168, desc="GB,H7,Lincoln"},
+	H8 = {ip=35294976, desc="GB,H8,Liverpool"},
+	H9 = {ip=35196928, desc="GB,H9,London"},
+	I1 = {ip=35253760, desc="GB,I1,Luton"},
+	I2 = {ip=35263488, desc="GB,I2,Manchester"},
+	I3 = {ip=47714304, desc="GB,I3,Rochester"},
+	I4 = {ip=1298651136, desc="GB,I4,Morden"},
+	I5 = {ip=1382961968, desc="GB,I5,Middlesborough"},
+	I8 = {ip=1371219061, desc="GB,I8,Stepney"},
+	I9 = {ip=35282944, desc="GB,I9,Norwich"},
+	IA = {ip=201438272, desc="US,IA,Urbandale"},
+	J1 = {ip=523578880, desc="GB,J1,Daventry"},
+	J2 = {ip=788492344, desc="GB,J2,Grimsby"},
+	J3 = {ip=3282790208, desc="GB,J3,Flixborough"},
+	J5 = {ip=41759232, desc="GB,J5,Wallsend"},
+	J6 = {ip=1043412268, desc="GB,J6,Alnwick"},
+	J7 = {ip=41783296, desc="GB,J7,Harrogate"},
+	J8 = {ip=35160064, desc="GB,J8,Nottingham"},
+	J9 = {ip=47742976, desc="GB,J9,Newark"},
+	JA = {ip=1476096512, desc="RU,JA,Kurilsk"},
+	K1 = {ip=48015360, desc="GB,K1,Oldham"},
+	K2 = {ip=1043402360, desc="GB,K2,Kidlington"},
+	K3 = {ip=39956480, desc="GB,K3,Peterborough"},
+	K4 = {ip=41735168, desc="GB,K4,Plymouth"},
+	K5 = {ip=775747568, desc="GB,K5,Poole"},
+	K6 = {ip=774162844, desc="GB,K6,Portsmouth"},
+	K7 = {ip=41746432, desc="GB,K7,Reading"},
+	K8 = {ip=35229696, desc="GB,K8,Ilford"},
+	L1 = {ip=47773696, desc="GB,L1,Twickenham"},
+	L2 = {ip=48103424, desc="GB,L2,Rochdale"},
+	L3 = {ip=35304192, desc="GB,L3,Rotherham"},
+	L4 = {ip=1043416984, desc="GB,L4,Oakham"},
+	L5 = {ip=772988024, desc="GB,L5,Salford"},
+	L6 = {ip=35336192, desc="GB,L6,Shrewsbury"},
+	L7 = {ip=1043419464, desc="GB,L7,Oldbury"},
+	L8 = {ip=39936000, desc="GB,L8,Lytham"},
+	L9 = {ip=35304448, desc="GB,L9,Sheffield"},
+	M1 = {ip=35384320, desc="GB,M1,Slough"},
+	M2 = {ip=41470976, desc="GB,M2,Solihull"},
+	M4 = {ip=35139584, desc="GB,M4,Southampton"},
+	M5 = {ip=1043402176, desc="GB,M5,Southend-on-sea"},
+	M6 = {ip=773986248, desc="GB,M6,Hill"},
+	M8 = {ip=1443330688, desc="GB,M8,Camberwell"},
+	M9 = {ip=35322880, desc="GB,M9,Stafford"},
+	MB = {ip=1076550400, desc="CA,MB,Winnipeg"},
+	MI = {ip=201393888, desc="US,MI,Saginaw"},
+	N1 = {ip=1318741928, desc="GB,N1,Haydock"},
+	N2 = {ip=35266560, desc="GB,N2,Stockport"},
+	N3 = {ip=41832448, desc="GB,N3,Stockton-on-tees"},
+	N4 = {ip=3231559680, desc="GB,N4,Longport"},
+	N5 = {ip=1043424608, desc="GB,N5,Beccles"},
+	N6 = {ip=35276800, desc="GB,N6,Sunderland"},
+	N7 = {ip=41551872, desc="GB,N7,Tadworth"},
+	N8 = {ip=41697280, desc="GB,N8,Sutton"},
+	N9 = {ip=35252736, desc="GB,N9,Swindon"},
+	NB = {ip=2211053568, desc="CA,NB,Fredericton"},
+	ND = {ip=201473536, desc="US,ND,Bismarck"},
+	NH = {ip=201772808, desc="US,NH,Laconia"},
+	NJ = {ip=201352704, desc="US,NJ,Piscataway"},
+	NS = {ip=3226164992, desc="CA,NS,Halifax"},
+	NT = {ip=3332472320, desc="CA,NT,Yellowknife"},
+	NV = {ip=202261184, desc="US,NV,Henderson"},
+	O2 = {ip=40251392, desc="GB,O2,Telford"},
+	O3 = {ip=35230208, desc="GB,O3,Grays"},
+	O4 = {ip=35318784, desc="GB,O4,Torquay"},
+	O5 = {ip=1368498352, desc="GB,O5,Poplar"},
+	O6 = {ip=1546138112, desc="GB,O6,Stretford"},
+	O7 = {ip=35219456, desc="GB,O7,Wakefield"},
+	O8 = {ip=35321856, desc="GB,O8,Walsall"},
+	O9 = {ip=1359108248, desc="GB,O9,Walthamstow"},
+	ON = {ip=201620304, desc="CA,ON,Ottawa"},
+	P1 = {ip=1043431736, desc="GB,P1,Wandsworth"},
+	P2 = {ip=35260416, desc="GB,P2,Warrington"},
+	P3 = {ip=41766912, desc="GB,P3,Nuneaton"},
+	P4 = {ip=41893888, desc="GB,P4,Newbury"},
+	P5 = {ip=772987648, desc="GB,P5,Westminster"},
+	P7 = {ip=41466624, desc="GB,P7,Wigan"},
+	P8 = {ip=48087808, desc="GB,P8,Salisbury"},
+	P9 = {ip=41793536, desc="GB,P9,Maidenhead"},
+	Q1 = {ip=41457664, desc="GB,Q1,Wallasey"},
+	Q2 = {ip=1040739840, desc="GB,Q2,Wokingham"},
+	Q3 = {ip=35323392, desc="GB,Q3,Wolverhampton"},
+	Q4 = {ip=539624744, desc="GB,Q4,Redditch"},
+	Q5 = {ip=1043415688, desc="GB,Q5,Wetherby"},
+	Q6 = {ip=1043439984, desc="GB,Q6,Antrim"},
+	Q7 = {ip=41811456, desc="GB,Q7,Newtownards"},
+	Q8 = {ip=1347208672, desc="GB,Q8,Armagh"},
+	Q9 = {ip=1044726432, desc="GB,Q9,Connor"},
+	QC = {ip=2210594816, desc="CA,QC,Varennes"},
+	R1 = {ip=1482707288, desc="GB,R1,Ballymoney"},
+	R3 = {ip=47828992, desc="GB,R3,Belfast"},
+	R4 = {ip=1051352576, desc="GB,R4,Eden"},
+	R5 = {ip=1056827328, desc="GB,R5,Castlereagh"},
+	R6 = {ip=47895040, desc="GB,R6,Coleraine"},
+	R7 = {ip=3270400320, desc="GB,R7,Dunmore"},
+	R8 = {ip=1367996672, desc="GB,R8,Portadown"},
+	R9 = {ip=773985608, desc="GB,R9,Square"},
+	RI = {ip=67285760, desc="US,RI,Providence"},
+	S1 = {ip=1040409048, desc="GB,S1,Drummond"},
+	S2 = {ip=1353842208, desc="GB,S2,Enniskillen"},
+	S3 = {ip=1368133632, desc="GB,S3,Larne"},
+	S4 = {ip=1446384520, desc="GB,S4,Ardmore"},
+	S5 = {ip=1043419184, desc="GB,S5,Lisburn"},
+	S6 = {ip=1056826304, desc="GB,S6,Londonderry"},
+	S7 = {ip=1359111383, desc="GB,S7,Curran"},
+	S8 = {ip=1369435392, desc="GB,S8,Waterfoot"},
+	S9 = {ip=1043434592, desc="GB,S9,Newry"},
+	T1 = {ip=3242033152, desc="GB,T1,Jordanstown"},
+	T2 = {ip=1043402000, desc="GB,T2,Bangor"},
+	T3 = {ip=1043429728, desc="GB,T3,Omagh"},
+	T4 = {ip=1043429520, desc="GB,T4,Strabane"},
+	T5 = {ip=39849984, desc="GB,T5,Aberdeen"},
+	T6 = {ip=1043407024, desc="GB,T6,Inverurie"},
+	T7 = {ip=47917056, desc="GB,T7,Forfar"},
+	T8 = {ip=1051457600, desc="GB,T8,Sandbank"},
+	T9 = {ip=1043429424, desc="GB,T9,Melrose"},
+	TX = {ip=201673024, desc="US,TX,Mckinney"},
+	U1 = {ip=1043400976, desc="GB,U1,Alloa"},
+	U2 = {ip=1353815544, desc="GB,U2,Langholm"},
+	U3 = {ip=1042190336, desc="GB,U3,Dundee"},
+	U4 = {ip=1043428036, desc="GB,U4,Newmilns"},
+	U5 = {ip=1051334704, desc="GB,U5,Bishopbriggs"},
+	U6 = {ip=1040628912, desc="GB,U6,Musselburgh"},
+	U7 = {ip=1056881248, desc="GB,U7,Barrhead"},
+	U8 = {ip=35188736, desc="GB,U8,Edinburgh"},
+	U9 = {ip=1318744616, desc="GB,U9,Blackstone"},
+	V1 = {ip=47947776, desc="GB,V1,Kirkcaldy"},
+	V2 = {ip=35190784, desc="GB,V2,Glasgow"},
+	V4 = {ip=1043417560, desc="GB,V4,Greenock"},
+	V5 = {ip=3570359128, desc="GB,V5,Borthwick"},
+	V6 = {ip=1398983520, desc="GB,V6,Findhorn"},
+	V7 = {ip=1043452928, desc="GB,V7,Saltcoats"},
+	V8 = {ip=523564544, desc="GB,V8,Bothwell"},
+	V9 = {ip=1353706504, desc="GB,V9,Redland"},
+	VT = {ip=201355264, desc="US,VT,Brattleboro"},
+	W1 = {ip=1042195200, desc="GB,W1,Perth"},
+	W2 = {ip=1043412560, desc="GB,W2,Paisley"},
+	W4 = {ip=1056825616, desc="GB,W4,Dundonald"},
+	W5 = {ip=1040411544, desc="GB,W5,Douglas"},
+	W6 = {ip=41547776, desc="GB,W6,Stirling"},
+	W7 = {ip=1443523584, desc="GB,W7,Bearsden"},
+	W8 = {ip=534572928, desc="GB,W8,Cross"},
+	W9 = {ip=1042221056, desc="GB,W9,Livingston"},
+	WA = {ip=201806720, desc="US,WA,Issaquah"},
+	WY = {ip=135495936, desc="US,WY,Casper"},
+	X1 = {ip=1043425760, desc="GB,X1,Valley"},
+	X2 = {ip=773988152, desc="GB,X2,Victoria"},
+	X3 = {ip=35149824, desc="GB,X3,Bridgend"},
+	X4 = {ip=1043402272, desc="GB,X4,Blackwood"},
+	X5 = {ip=39946240, desc="GB,X5,Cardiff"},
+	X6 = {ip=1043435700, desc="GB,X6,Aberystwyth"},
+	X7 = {ip=1043408760, desc="GB,X7,Llanelli"},
+	X8 = {ip=1368926208, desc="GB,X8,Abergele"},
+	X9 = {ip=1043411032, desc="GB,X9,Rhyl"},
+	Y1 = {ip=1043407256, desc="GB,Y1,Holywell"},
+	Y2 = {ip=1043401576, desc="GB,Y2,Caernarfon"},
+	Y4 = {ip=1043428692, desc="GB,Y4,Cwmbran"},
+	Y5 = {ip=3265794544, desc="GB,Y5,Cwmafan"},
+	Y6 = {ip=35153920, desc="GB,Y6,Newport"},
+	Y7 = {ip=1353763984, desc="GB,Y7,Haverfordwest"},
+	Y8 = {ip=1043430344, desc="GB,Y8,Welshpool"},
+	Z1 = {ip=40116224, desc="GB,Z1,Swansea"},
+	Z2 = {ip=40189952, desc="GB,Z2,Pontypool"},
+	Z3 = {ip=35147776, desc="GB,Z3,Barry"},
+	Z4 = {ip=40321024, desc="GB,Z4,Wrexham"}
+}
+
+local get_addresses = function(address, mask, domain, nameserver) 
+
+	-- translate the IP's in the areaIPs to strings, as this is what the
+	-- DNS library expects
+	if ( "number" == type(address) ) then
+		address = ipOps.fromdword(address)
+		local a, b, c, d = address:match("(%d+)%.(%d+)%.(%d+)%.(%d+)")
+		address = ("%d.%d.%d.%d"):format(d,c,b,a)
+	end
+
+	local subnet = { family = nmap.address_family(), address = address, mask = mask }
+	local status, resp = dns.query(domain, {host = nameserver, retAll=true, subnet=subnet})
+	if ( not(status) ) then
+		return
+	end
+	if ( "table" ~= type(resp) ) then resp = { resp } end
+	return resp
+end
+
+local function fail(err) return ("\n  ERROR: %s"):format(err or "") end
+
+action = function(host, port)	
+
+	if ( not(argDomain) ) then
+		return fail(SCRIPT_NAME .. ".domain was not specified")
+	end
+	
+	local nameserver = argNS or (host and host.ip)
+	-- as the nameserver argument overrides the host.ip, the prerule should
+	-- already have done our work, so abort
+	if ( argNS and host ) then
+		return
+	-- if we have no nameserver argument and no host, we dont have sufficient
+	-- information to continue, abort
+	elseif ( not(argNS) and not(host) ) then
+		return		
+	end
+	
+	local addrs = argAddr or areaIPs
+	if ( "string" == type(addrs) ) then	addrs = {{ ip = addrs }} end
+
+	local lookup, result = {}, { name = argDomain }
+	for _,ip in pairs(addrs) do
+		for _, addr in ipairs( get_addresses (ip.ip, argMask, argDomain, nameserver) ) do
+			lookup[addr] = true
+		end
+	end
+	for addr in pairs(lookup) do table.insert(result, addr) end
+	table.sort(result)
+	return stdnse.format_output(true, result)
+end

scripts/script.db

@@ -57,6 +57,7 @@ Entry { filename = "dhcp-discover.nse", categories = { "discovery", "safe", } }
 Entry { filename = "dns-blacklist.nse", categories = { "external", "safe", } }
 Entry { filename = "dns-brute.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "dns-cache-snoop.nse", categories = { "discovery", "intrusive", } }
+Entry { filename = "dns-client-subnet-scan.nse", categories = { "discovery", "safe", } }
 Entry { filename = "dns-fuzz.nse", categories = { "fuzzer", "intrusive", } }
 Entry { filename = "dns-nsec-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "dns-nsid.nse", categories = { "default", "discovery", } }