sfp_dnsresolve.py issue with multiple PTR records

[quantumburnz]

I'm performing a scan on an IP block where some IPs have multiple PTR records. A simple nslookup of the IP space returned more hostnames than SpiderFoot with sfp_dnsresolve and other modules.

sfp_dnsresolve performs the following:

spiderfoot/modules/sfp_dnsresolve.py

Lines 297 to 299 in 64942c4

	# Reverse resolve IP addresses
	elif eventName in ["IP_ADDRESS", "IPV6_ADDRESS", "AFFILIATE_IPADDR", "AFFILIATE_IPV6_ADDRESS"]:
	addrs = self.sf.resolveIP(eventData)

The resolveIP function uses socket.gethostbyaddr(ipaddr) as shown below:

spiderfoot/sflib.py

Lines 1074 to 1075 in f90f932

	try:
	addrs = self.normalizeDNS(socket.gethostbyaddr(ipaddr))

According to the Python docs:

Return a triple (hostname, aliaslist, ipaddrlist) where hostname is the primary host name responding to the given ip_address, aliaslist is a (possibly empty) list of alternative host names for the same address...

The primary host name seems to change if you run this function in succession multiple times. No results are ever returned for the aliaslist in the few cases I tested though.

A solution to this would be to use the dnspython library used elsewhere in SF. Here's some example code:

addr = dns.resversename.from_address("IP_ADDRESS")
results = dns.resolver.resolve(addr, "PTR")

The results variable will be populated with all PTR records.

What version of Python are you using? Python 3.8.10

What version of SpiderFoot are you using (stable release or Git master branch)? SpiderFoot stable v3.5.0

You may also wish to check if your issue has been posted previously: I did not see any similarly reported issues.