0

I have a Windows Server based network, running a Windows DHCP and DNS server. How can I list all the computers in the local network known to the server? That would mean querying either the DHCP or the DNS for all names and IP addresses.

I know I can see this information if I log on to the server in the DHCP MMC. But is there a way to do it from a different computer (not in the AD-domain), and without the administrative MMC snap-ins installed? Maybe a Powershell command or tool that I missed?

In a small subnet I can just use a portscanner, but that seems like a wrong solution when the information I want is sitting there on my server.

I discovered nslookup ls mydomain.local, but this fails with "query refused". Is there maybe a way to pass credentials to it?

jdm
  • 171
  • 7
  • `not in the AD-domain`. You need to specify if you have credentials for the AD domain. – Greg Askew Aug 24 '21 at 11:49
  • Clarify what you mean by "known to the server". Do you mean hosts that are registered in DNS? Do you mean hosts that have been assigned an ip address by DHCP? Those aren't necessarily the same. – joeqwerty Aug 24 '21 at 12:20
  • @joeqwerty Either/or would be ok, that's why I phrased the question like that. For example, I connected a new headless device which got a DHCP address, and from the DHCP lease time or the hostname I want to find the IP address. – jdm Aug 25 '21 at 11:33

2 Answers2

1

Have you tried querying for ANY record using nslookup as in How can I list ALL DNS records?

This only works, however if DNS zone file tranfers isn't blocked (which is the default).

nslookup
Default Server:  dc.mydomain.local
Address:  10.1.8.4

> set q=any
> ls -d mydomain.local
[dc.domain.local]
*** Can't list domain mydomain.local: Query refused
The DNS server refused to transfer the zone mydomain.local to your computer. If this
is incorrect, check the zone transfer security settings for mydomain.local on the DNS
server at IP address 10.1.8.4.

And the main point here is, you shouldn't be able to dump this kind of information as an anonymous user to begin with anyhow...

Dennis
  • 65
  • 6
0

nslookup just uses the DNS protocol. There's no way to pass credentials along.

You could install administration tools like dnscmd and use proper credentials with those but you've ruled that out.

Alternatively, you could loop through all local addresses and query each separately, e.g. for a network 192.0.2.0/24:

for /l %i in (0,1,255) do @nslookup 192.0.2.%i 2>&1 | findstr "192.0.2 Name"

Of course, that only displays hosts registered in DNS, with support for reverse DNS. You should note that queries like this may trigger IDS rules, alerting the network admins.

Zac67
  • 8,639
  • 2
  • 10
  • 28