diff --git a/CHANGELOG b/CHANGELOG
index 53b223c61..8e0cf10a7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o Add the --resolve-all option to resolve and scan all IP addresses of a host.
+  This essentially replaces the resolveall NSE script. [Daniel Miller]
+
 o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
   30) [Daniel Miller]
 
@@ -97,11 +100,6 @@ o [NSE] New script http-jsonp-detection Attempts to discover JSONP endpoints in
   web servers. JSONP endpoints can be used to bypass Same-origin Policy
   restrictions in web browsers. [Vinamra Bhatia]
 
-o Nmap can now resolve and scan all IP addresses of a host. Instead of using
-  the resolveall NSE script, append "*all" to a target hostname:
-    nmap example.com*all another.example.com*all/24
-  [Daniel Miller]
-
 o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
   were always reporting the version number of the included source, even when a
   different version was linked. [Pavel Zhukov]
diff --git a/NmapOps.cc b/NmapOps.cc
index 3b964d327..5fa73fafd 100644
--- a/NmapOps.cc
+++ b/NmapOps.cc
@@ -364,6 +364,7 @@ void NmapOps::Initialize() {
   mass_dns = true;
   deprecated_xml_osclass = false;
   always_resolve = false;
+  resolve_all = false;
   dns_servers = NULL;
   implicitARPPing = true;
   numhosts_scanned = 0;
diff --git a/NmapOps.h b/NmapOps.h
index c06996017..34f93a7eb 100644
--- a/NmapOps.h
+++ b/NmapOps.h
@@ -371,6 +371,7 @@ class NmapOps {
   std::map<std::string, std::string> loaded_data_files;
   bool mass_dns;
   bool always_resolve;
+  bool resolve_all;
   char *dns_servers;
 
   /* Do IPv4 ARP or IPv6 ND scan of directly connected Ethernet hosts, even if
diff --git a/TargetGroup.cc b/TargetGroup.cc
index b371ba48a..8440b9f27 100644
--- a/TargetGroup.cc
+++ b/TargetGroup.cc
@@ -381,7 +381,7 @@ static NetBlock *parse_expr_without_netmask(const char *hostexp, int af) {
     return NULL;
   }
 
-  NetBlockHostname *netblock_hostname = new NetBlockHostname(hostn, af, resolveall);
+  NetBlockHostname *netblock_hostname = new NetBlockHostname(hostn, af, resolveall || o.resolve_all);
   free(hostn);
   return netblock_hostname;
 }
diff --git a/docs/refguide.xml b/docs/refguide.xml
index 4a951ac33..c92743bac 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -169,9 +169,7 @@ simplest case is to specify a target IP address or hostname for scanning.</para>
   via the Domain Name System (DNS) to determine the IP address to scan. If the
   name resolves to more than one IP address, only the first one will be
   scanned. To make Nmap scan all the resolved addresses instead of only the
-  first one, append <literal>*all</literal>
-  <indexterm><primary>*all</primary></indexterm> to the hostname like so:
-  <literal>example.com*all</literal>
+  first one, use the <option>--resolve-all</option> option.
 </para>
 
 <para>Sometimes you wish to scan a whole network of adjacent hosts. For
@@ -961,6 +959,21 @@ Traceroute works by sending packets with a low TTL (time-to-live) in an attempt
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>--resolve-all</option> (Scan each resolved address)
+          <indexterm><primary><option>--resolve-all</option></primary></indexterm>
+        </term>
+        <listitem>
+          <para>If a hostname target resolves to more than one address, scan
+            all of them. The default behavior is to only scan the first
+            resolved address. Regardless, only addresses in the appropriate
+            address family will be scanned: IPv4 by default, IPv6 with
+            <option>-6</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
           <option>--system-dns</option> (Use system DNS resolver)
diff --git a/nmap.cc b/nmap.cc
index c53e5190d..9a0b2b2c3 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -683,6 +683,7 @@ void parse_options(int argc, char **argv) {
     {"version-all", no_argument, 0, 0},
     {"system_dns", no_argument, 0, 0},
     {"system-dns", no_argument, 0, 0},
+    {"resolve-all", no_argument, 0, 0},
     {"log_errors", no_argument, 0, 0},
     {"log-errors", no_argument, 0, 0},
     {"deprecated_xml_osclass", no_argument, 0, 0},
@@ -941,6 +942,8 @@ void parse_options(int argc, char **argv) {
           o.mass_dns = false;
         } else if (optcmp(long_options[option_index].name, "dns-servers") == 0) {
           o.dns_servers = strdup(optarg);
+        } else if (optcmp(long_options[option_index].name, "resolve-all") == 0) {
+          o.resolve_all = true;
         } else if (optcmp(long_options[option_index].name, "log-errors") == 0) {
           /*Nmap Log errors is deprecated and is now always enabled by default.
           This option is left in so as to not break anybody's scanning scripts.
diff --git a/scripts/resolveall.nse b/scripts/resolveall.nse
index 2da6640e5..372a3646d 100644
--- a/scripts/resolveall.nse
+++ b/scripts/resolveall.nse
@@ -120,7 +120,7 @@ preaction = function()
   else
     table.insert(output, "Use the 'newtargets' script-arg to add the results as targets")
   end
-  table.insert(output, "Scanning 'hostname*all' will scan all resolved addresses for 'hostname' without using this script.")
+  table.insert(output, "Use the --resolve-all option to scan all resolved addresses without using this script.")
   return xmloutput, stdnse.format_output(true, output)
 end
 
@@ -152,7 +152,7 @@ hostaction = function(host)
   else
     table.insert(output, "Use the 'newtargets' script-arg to add the results as targets")
   end
-  table.insert(output, ("Scanning '%s*all' will scan all resolved addresses without using this script."):format(host.targetname))
+  table.insert(output, ("Use the --resolve-all option to scan all resolved addresses without using this script."):format(host.targetname))
   return xmloutput, stdnse.format_output(true, output)
 end