This blog post is about service fingerprinting DNS servers on Internet. The most straight forward way to identify the version of a DNS server is to send it a “version.bind” request. Although the name implies it is targeting only BIND software, it is also implemented in other DNS server software (see RFC) !

What is the “version.bind” query ?

BIND as well as other DNS software vendors/implementations allow for a specific TXT resource record of class CHAOS (3) to be handled. This query, the “version.bind” query (see RFC), allows one to retrieve the version of the running DNS software. Such a query is to be answered, if supported by the DNS software, with a response describing its running version.

An easy way of trying this is to use the Domain Information Groper (`dig`):

dig @ version.bind txt chaos +norecurse +noedns

BTW the “version.bind” is the most known type of query to identify DNS servers’ information but not the only one:

  • HOSTNAME.BIND: unique identifier (depends on the implementation but usually resulting from the gethostname() call)
  • ID.SERVER: same as HOSTNAME.BIND

Let’s do it !

So after having scanned the whole IPv4 address space for DNS servers (and found 16.4M unique IPs), those servers have been sent the “version.bind” query. 42% responded to the requests (6.9M) among which following vendors were found:

  • BIND (~ 34%)
  • Dnsmasq (~ 6%)
  • Microsoft DNS Server (~ 2%)
  • tinyDNS (less than 0.1%)
  • other (~ 58%)

“others” were either:

  • empty version
  • obfuscated version
  • specific / rare software vendors

Among the 2M BIND servers, following versions were found:

  • 45% running version 9.3.x => Deprecated (meaning “Do not use this version“)
  • 23% running version 9.8.x => Current
  • 15% running version 9.7.x => EOL (End Of Life)
  • 5% running version 9.2.x => Deprecated
  • 4% running version 9.4.x => Deprecated
  • 3% running version 9.9.2 => Current

Looks impressive right … more than half of the DNS servers running BIND run a version that is flagged as “deprecated” ?!? I’ll let you draw your own conclusion out of this but one must admit this is quite scary !

Exploring the exotic BIND version edited by sysadmins shows funny surprises. Here’s a little excerpt of unedited version line returned by some DNS servers:

  • “We use trained monkeys to delivere DNS responses, not BIND”
  • “My name is Bind, James Bind!”
  • “The best version, of course! What did you expect?”
  • “you disappoint me. surely you can do better than this!”
  • “These are not the droids you are looking for. Move along”
  • “all your base are belong to us”
  • “I have as much privacy as a goldfish in a bowl”
  • “None of your business, get a hobby”
  • “Sorry – no BIND vulnerabilities here!”
  • “Hit the road Jack and don’t you come back no more!”
  • “666 the number of the beast…!”
  • “I could tell you but then I’d have to kill you”
  • “Stop being part of the problem. Get a real job”
  • “Another Visitor. Stay for a while. Stay forever”

For the hacker minded and those trying to automate some fingerprinting process, be aware of those versions lines ;-)

  • ! ‘; DROP DATABASE DNS_SERVERS; —
  • 1 ‘; DROP DATABASE mysql; —

BTW, I even found some job offers among the responses !

As it seems, even if some results produced scary versions (EOL and deprecated) it’s still nice to see that geeks/sysadmins have a sense of humor !

May BIND be with you !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s