A hostname with an IPv6 address is stored as a AAAA resource record in DNS (see AAAA record). There are many DNS hostname bruteforcing tools, personally I like Fierce. Suppose we have already run our hostname bruteforcing tool against a target domain (e.g. facebook.com). Below we use dig to do a AAAA record lookup for each hostname. Note, the DNS server we use matters. In this example we use 126.96.36.199, to confirm different results try using a.ns.facebook.com instead. Host can also be used instead of dig:
An offline/quieter way is to use the DNS Record (ANY) set from the Internet-Wide Scan Data Repository done by Rapid7. Using facebook.com as an example again:
This didn’t turn up very many results but we can combine the two:
You get the idea =). Not a new concept or technique, just wanted to put some notes in one place.