When I’m scanning with Nmap, I make an effort to get proper hostnames associated with the target IPs. To do this, I scan UDP 53 on the targets to identify DNS servers and then run something like the following for each identified DNS server:
nmap -sL -v4 --dns-servers DNSSERVER TARGETS
I have to review the results for each tested DNS server to see how many of the targets it can resolve, and also determine if the resolved targets differ.
The docs seem to imply that if you specify multiple servers in the
--dns-servers flag, that it will choose one at random (or round robin). This interpretation comes from the "is often faster" part.
The problem I have is that my scan targets may not all be supported by the same DNS server. In my case, I’d rather specify all identified DNS servers in
--dns-servers and have it fail over until it finds one that returns a response. If only one of the specified servers is used, to get accurate results I would need to perform multiple scans, each with a single DNS server specified.
My question is, is it true that the
--dns-server flag will use only one of the specified DNS servers, and not try them all?