Don't Ping Before Scanning (-P0)The –P0 option completely removes the nmap ping requirement from the pre-scanning process. Nmap will still attempt a reverse DNS on the remote station unless the disable reverse DNS (-n) option is used.
The –PN and –PD options are undocumented aliases for the better known –P0 option.
Advantages of the Don't Ping Before Scanning Option Removing the ping process provides an additional level of stealth. The ping is often the first frame sent from the nmap station to the remote device, and removing this conversation minimizes the network traffic between the stations.
The ping process is unnecessary if the end station is known to be active on the network. When the end station's status is already known, using the –P0 option can remove unnecessary network traffic from the scanning process.
Disadvantages of the Don't Ping Before Scanning Option
If the existence of the remote device isn't known, using the –P0 option could result in a scan to an IP address that isn't active on the network. If multiple stations are part of the nmap scan, this would create delays while the scan process attempts to contact remote systems that don't actually exist!
When to use the Don't Ping Before Scanning Option
If the end device IP address is already known, then a ping isn't entirely necessary. However, nmap does gather some important timing information from the ping process, so disabling the ping process will put nmap at a disadvantage when the scan begins.
If the nmap ping process fails but the station is known to be on the network, this option can be used to circumvent the nmap ping requirement. This can occur if there is a firewall or packet filter between the nmap station and the remote device that is blocking the nmap pings.
Require Reverse DNS (-R)The require reverse DNS option (-R) is nmap's default operation just after the ping and just prior to the scanning process. If correlating a name with an IP address is important, using the –R option will ensure a DNS lookup regardless of the scanning type.
Advantages of the Require Reverse DNS Option
When scanning many devices, requiring a reverse DNS will ensure that the scan will attempt to correlate an IP address to a name. Even when the name of a server is known, its IP address may resolve to a completely different name. This resolution process is essential when the "real" name of the device needs to be referenced after a scan is complete.
Disadvantages of the Require Reverse DNS Option
The –R option maps a name to an IP address, but this capability isn't always guaranteed. Not all stations can be resolved through the name resolution process, and not all environments have integrated every workstation into a name resolution system.
The DNS resolution process is relatively slow when compared to most network-related processes. Some DNS clients can add one-half to two seconds of delay to a scan per IP address! When many different systems are scanned simultaneously, this can add a significant amount of delay to the total scan time.
When logging is enabled on the DNS server, every query made to the DNS server will be recorded. If the –R option is selected every scanned IP address will appear as a query in the DNS log.
When to use the Require Reverse DNS Option
The reverse DNS option is helpful when station names are an important part of an nmap log. Many organizations use dynamic IP addressing, so an IP address in use during an nmap scan might be used by a completely different station at a later date. By integrating the nmap scan into the name resolution system, a complete and correct name can be associated with an IP address.
If the reverse DNS option is used, there will be delays during the name resolution process. If there are many name resolutions that must occur, it's not unusual to have delays each time a name is resolved.
The name resolution process is often logged on the DNS server, and it's very apparent when examining a network trace file. This type of request includes the device names that are queried, and this makes it stand out when examining a trace file.
Disable Reverse DNS (-n)
The disable reverse DNS option (-n) is the opposite of the require reverse DNS option (-R). If the disable reverse DNS option is selected, nmap will not perform a reverse DNS lookup on the destination IP address. Disabling the DNS process eliminates the name resolution process, which is one of the more time-consuming aspects of a workstation scan.
Advantages of the Disable Reverse DNS Option
DNS lookups are relatively slow when compared with the scanning process. Name resolution can be very inefficient, so removing this requirement can provide some significant time savings.
A name resolution process doesn't guarantee that a name will actually be resolved. Individual workstations often aren't included on the DNS server, so the resulting name lookup will not return any name that can be correlated with an IP address. There's no reason to have a name resolution process if no name will be obtained!
If the name lookup doesn't occur, there's no corresponding entry in the DNS logs. If it's important to conserve resources on the DNS server, this scan option will avoid sending queries to the DNS server.
Disadvantages of the Disable Reverse DNS Option
The reverse DNS process can associate a system name with an IP address. In environments where the IP addresses are assigned dynamically, a station's IP address can change from one day to the next. If the reverse DNS option is disabled, the station name is not queried and the name will not appear in the nmap scan. In dynamic environments, querying the name during the scan may be the only opportunity to accurately correlate an IP address with a name!
When to use the Disable Reverse DNS Option
If the nmap scan needs to keep a low profile on the network, it may be prudent to disable any name queries. Many DNS servers log name resolutions, so running an nmap scan without disabling name resolution may cause the nmap station to appear in the DNS log as it attempts to resolve the name of every workstation it scans!
Scanning many different devices will result in a large number of queries to a DNS server. The scan described above queried the DNS server over 250 times in two minutes! If the name of a device isn't important, using the –n option will save CPU cycles on both the nmap client and the DNS server.
DNS queries are notoriously slow. Using the disable reverse DNS option can increase scan time significantly if multiple stations are scanned.