Vulnerability Development mailing list archives

Re: DNS Version check.

From: "Nexus" <nexus () patrol i-way co uk>
Date: Thu, 6 Jun 2002 11:20:57 +0100

If you are using perl then Net::DNS by Mike Fuhr
http://www.fuhr.org/~mfuhr/perldns/ is the way to go and use something
similar to :

 $packet = $res->query("version.bind","TXT","CH");

As has been said, this string can be changed from the default, or even it's
request can be refused.   That said, you can also query servers for
"authors.bind" to possibly fingerprint BIND versions of 9.x.x - this is a CH
class TXT record again - don't think there is a way to query for the version
string without using the CH class.   For completeness as folks have
mentioned doing this with dig, you can do it with nslookup as well, both as
a one-liner and interactively :

[nexus@wulfgar nexus]$ nslookup -q=txt -class=chaos version.bind 192.168.1.1
Server:  ns1.example.com
Address:  192.168.1.1

VERSION.BIND    text = "8.2.3-REL-NOESW"
[nexus@wulfgar nexus]$ nslookup
Default Server:  ns1.example.com
Address:  192.168.1.1

set class=chaos
set type=txt
version.bind

Server:  ns1.example.com
Address:  192.168.1.1

VERSION.BIND    text = "8.2.3-REL-NOESW"

exit

[nexus@wulfgar nexus]$

FWIW, there are other ways to fingerprint DNS servers even when the string
is not present by looking at the RCODE reply from the server.
For example, An RCODE reply of 4, "Not Implemented" is consistent with the
MS DNS servers, RCODE of 1, "Format String Error" is consistent with Dan
Bernstein's DJBDNS/TinyDNS and a reply of 2, "Internal Server Error" was
found to be the response from Novell BorderManager.
Other ways of doing this are WIP atm ;-)

Cheers.

----- Original Message -----
From: "Vjay LaRosa" <vjayl () emc com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, June 05, 2002 10:59 PM
Subject: DNS Version check.

Hello,

Does any one know if it is possible to request the version of bind a
server is running? I would like to write a quick perl script to scan my
network to check all of the versions. Thanks!

vjl



--
  V.Jay LaRosa EMC Corporation
  Systems Administrator 171 South Street
  (508)435-1000 ext 14957 Hopkinton, MA 01748
  (508)497-8082 fax www.emc.com

Current thread:

DNS Version check. Vjay LaRosa (Jun 05)
- Re: DNS Version check. David Conrad (Jun 05)
- Re: DNS Version check. Edwin Groothuis (Jun 05)
  - Re: DNS Version check. Peter Thoenen (Jun 05)
    - Re: DNS Version check. Johannes Ullrich (Jun 06)
- Re: DNS Version check. Jean-Christophe Smith (Jun 05)
- Re: DNS Version check. Joao Gouveia (Jun 06)
- Re: DNS Version check. Nexus (Jun 06)
- Re: DNS Version check. Admin (Jun 06)
- <Possible follow-ups>
- Re: DNS Version check. Muhammad Faisal Rauf Danka (Jun 06)