This blog post is about service fingerprinting DNS servers on Internet. The most straight forward way to identify the version of a DNS server is to send it a “version.bind” request. Although the name implies it is targeting only BIND software, it is also implemented in other DNS server software (see RFC) !
What is the “version.bind” query ?
BIND as well as other DNS software vendors/implementations allow for a specific TXT resource record of class CHAOS (3) to be handled. This query, the “version.bind” query (see RFC), allows one to retrieve the version of the running DNS software. Such a query is to be answered, if supported by the DNS software, with a response describing its running version.
An easy way of trying this is to use the Domain Information Groper (`dig`):
dig @ version.bind txt chaos +norecurse +noedns
BTW the “version.bind” is the most known type of query to identify DNS servers’ information but not the only one:
- HOSTNAME.BIND: unique identifier (depends on the implementation but usually resulting from the gethostname() call)
- ID.SERVER: same as HOSTNAME.BIND
Let’s do it !
So after having scanned the whole IPv4 address space for DNS servers (and found 16.4M unique IPs), those servers have been sent the “version.bind” query. 42% responded to the requests (6.9M) among which following vendors were found:
- BIND (~ 34%)
- Dnsmasq (~ 6%)
- Microsoft DNS Server (~ 2%)
- tinyDNS (less than 0.1%)
- other (~ 58%)
“others” were either:
- empty version
- obfuscated version
- specific / rare software vendors
Among the 2M BIND servers, following versions were found:
- 45% running version 9.3.x => Deprecated (meaning “Do not use this version“)
- 23% running version 9.8.x => Current
- 15% running version 9.7.x => EOL (End Of Life)
- 5% running version 9.2.x => Deprecated
- 4% running version 9.4.x => Deprecated
- 3% running version 9.9.2 => Current
Looks impressive right … more than half of the DNS servers running BIND run a version that is flagged as “deprecated” ?!? I’ll let you draw your own conclusion out of this but one must admit this is quite scary !
Exploring the exotic BIND version edited by sysadmins shows funny surprises. Here’s a little excerpt of unedited version line returned by some DNS servers:
- “We use trained monkeys to delivere DNS responses, not BIND”
- “My name is Bind, James Bind!”
- “The best version, of course! What did you expect?”
- “you disappoint me. surely you can do better than this!”
- “These are not the droids you are looking for. Move along”
- “all your base are belong to us”
- “I have as much privacy as a goldfish in a bowl”
- “None of your business, get a hobby”
- “Sorry – no BIND vulnerabilities here!”
- “Hit the road Jack and don’t you come back no more!”
- “666 the number of the beast…!”
- “I could tell you but then I’d have to kill you”
- “Stop being part of the problem. Get a real job”
- “Another Visitor. Stay for a while. Stay forever”
For the hacker minded and those trying to automate some fingerprinting process, be aware of those versions lines ;-)
- ! ‘; DROP DATABASE DNS_SERVERS; —
- 1 ‘; DROP DATABASE mysql; —
BTW, I even found some job offers among the responses !
As it seems, even if some results produced scary versions (EOL and deprecated) it’s still nice to see that geeks/sysadmins have a sense of humor !
May BIND be with you !
Kudelski Security Research 