Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

Efficient IPv6 address scanning based on hostname correlation in IPv6-only network

· Back to index

Why finding hidden internet addresses matters

Behind every phone, laptop, server, or smart sensor on a modern network sits at least one numerical address that lets data find its way. With the new internet standard IPv6, each device can have many such addresses, and the overall space of possible numbers is astronomically large. This makes it hard for network administrators and security teams to answer a seemingly simple question: Which machines are actually alive on my local network right now? This paper introduces HFinder6, a new way to quickly uncover those active IPv6 devices—even on networks that have completely abandoned older IPv4 technology.

The challenge of seeing devices in an ocean of numbers

Traditional tools for mapping computers on a network grew up in the IPv4 era, where the address space was small and simple tricks like broadcasting a question to everyone usually worked. IPv6 changes that picture: the address range is so vast that brute-force probing is impossible, and many discovery methods based on broadcast messages simply no longer exist. Early IPv6-only techniques tried to coax responses using low-level messages, but modern operating systems increasingly treat such traffic as suspicious and silently drop it. Newer tools improved coverage by combining IPv4 and IPv6 information, for example by learning hostnames over IPv4 and then asking for the same machines in IPv6. Those methods work reasonably well today, but they depend on IPv4 being present—and that assumption is rapidly breaking down as operators deploy pure IPv6 networks.

Figure 1
Figure 1.

A new idea: follow the names, not the numbers

HFinder6 takes a different route by focusing on hostnames—the human-readable labels built into operating systems and widely reused by core network protocols. The authors observe three key facts. First, within a local network, hostnames are normally unique, because systems and management tools try hard to avoid duplicates. Second, these names appear automatically in many standard exchanges, from address configuration to local name lookups, without any user action. Third, standard formats allow a scanner to peel the short hostname out of a longer domain-style name. Together, this means that if you can reliably collect hostnames on a link, you can then ask the network, using ordinary name-resolution mechanisms, which IPv6 addresses belong to which names. This turns the discovery problem from searching a huge numerical space into following a much smaller list of identifiers.

How HFinder6 gently provokes devices to reveal themselves

To harvest hostnames without relying on IPv4, HFinder6 exploits a little-used interaction between two IPv6 building blocks. It sends a carefully crafted router announcement to all devices on the local link, with a flag that, according to standards, tells clients to use the stateful configuration method known as DHCPv6. Even if no real DHCPv6 server exists, compliant systems still transmit an initial request message that typically includes their full name. HFinder6 listens briefly for these requests, deduplicates them using a built-in client identifier, and extracts each hostname. A second, always-on component keeps watching for similar messages over time, so that newly joined machines and devices that renew their addresses are folded into the same hostname list without the scanner having to probe again.

Turning names into complete IPv6 address sets

Once HFinder6 has a list of hostnames, it uses two standard local discovery protocols, multicast DNS and Link-Local Multicast Name Resolution, to ask which IPv6 addresses correspond to each name. These queries, which stay entirely within the IPv6 world, are issued in parallel to keep delays low and to cover both Windows and Linux families. Devices respond with their various IPv6 addresses on the link, including link-local identifiers used for basic communication, longer-lived global addresses, and temporary privacy-friendly addresses. By parsing these replies and classifying each address type, HFinder6 builds a rich picture of how every visible host is configured, going far beyond tools that can only see a single address per machine.

Figure 2
Figure 2.

Putting the method to the test

The researchers built a testbed with 20 different operating system versions across Windows desktops, Windows servers, Ubuntu, and CentOS, and compared HFinder6 to four IPv6-only scripts from the popular Nmap toolkit and three advanced dual-stack scanners. In this mixed environment, HFinder6 discovered 43 of 47 possible IPv6 addresses spread across 18 operating system versions—matching the best existing tool in completeness while operating entirely without IPv4. It also outperformed all seven comparison tools in speed, averaging just over ten seconds per scan and finding about 4.2 live addresses per second. Compared with older IPv6-only methods, it increased the number of discovered addresses by up to a factor of more than five, and it maintained the same coverage in a strictly IPv6-only setup where dual-stack-based techniques simply stopped working.

What this means for real networks

For everyday network operators, HFinder6 offers a way to see what is really on an IPv6-only local network, without guessing across vast address ranges or depending on legacy IPv4 hints. By using standard behavior already built into modern systems and by limiting itself to a small burst of carefully formed messages plus passive listening, it minimizes disruption while revealing a near-complete map of active devices and their addresses. The work shows that, even as the internet shifts fully to IPv6, it is still possible to keep track of which machines are present and reachable—a prerequisite for sound management, security monitoring, and troubleshooting in the next generation of networks.

Citation: Sun, C., Zhang, L., Wang, R. et al. Efficient IPv6 address scanning based on hostname correlation in IPv6-only network. Sci Rep 16, 8799 (2026). https://doi.org/10.1038/s41598-026-39577-2

Keywords: IPv6 scanning, network discovery, hostname correlation, IPv6-only networks, network security