The method is best explained using an example. This example uses the IPv6 Address Prefix Reserved for Documentation.
Let’s assume that within
2001:DB8::/32 there is
which has reverse DNS hosted in a zone called
Now, given the zone name (let’s call it
X to be slightly easier
on the eyes), we can query
2.X etc. up to and including
f.X. Most of these
queries will return an NXDOMAIN rcode; this means the name does not exist, but
very importantly, this can usually be construed to mean that no longer name
exists either. Suppose that in this case, two of the names (
f.X) do not return NXDOMAIN – instead they return NOERROR.
This means the nameserver has a reason to not deny existence, and
in this case, that reason is that a longer name exists.
We tested 16 prefixes of
X and have rejected 14 due to NXDOMAIN;
by that, we have reduced our search space from a full /48 to 1/8th of a /52 –
a 128-fold reduction with just 16 queries. This trend continues at every step.
Note that whether this works depends on how a nameserver handles requests for these shortened names (the technical term is ‘empty non-terminals’). BIND and NSD return NOERROR and NXDOMAIN as described above; tinydns and PowerDNS in most setups will not.
As said above, I could not find any previous work applying this feature of DNS to the mapping of reverse zones. If you do know of anything, let me know and I will update this post.