How to find out DNS Server version ?

Bill Larson wllarso at swcp.com
Fri Nov 13 15:33:47 UTC 2009 

Tibo <t.lemaire at tib1.com> said:

> Leonardo Rodrigues a écrit :
> > Tibo escreveu:
> >>
> >> I think I found it : fpdns -f NAMESERVER
> >>
> >> Is it always OK ?
> > 
> >    No, that's not always OK, because -f option of fpdns relies on the 
> > version.bind record, which i explained on my previous message that 
> > sometimes cant be queries and other times can fake some false version id.
> > 
> > fpdns -f    and the   dig command i gave you queries exactly the same 
> > thing.
> > 
> > none of those (which are in fact the sam thing) are 100% reliable for 
> > identifying remote dns server versions
> > 
> > 
> Ok, I think if I tell my people to always let the version and the 
> solution with dig would be OK.

You can always define a "view" for the chaos class and only let your 
workstation get the results from this version.bind query.  Everyone else 
would be blocked from obtaining this information.

Many "security" people believe that releasing the bind.version information 
is a security issue.  They do a "version.bind" query and if they get ANY 
answer they fell that this is a problem.  I don't agree with them, but I 
have given up fighting them on this issue.  Most of the time these security 
people are outside consultants that management is paying and they have 
management's ear with any "findings".

The "fpdns" tool trys to determine the type/version of a DNS server by 
sending the server special queries which help to define this information.  
Unfortunately, multiple versions of BIND can respond to these special 
queries and so only provide a range of version information.  Also, I have 
seen firewalls which block some of the queries fpdns uses, such as TCP ones, 
which make version identification even more difficult and/or impossible.

Another possibility is to ASK the administrators of the other data centers 
for this information.  All they have to do is run "named -v" to get this 
information.  If you can't get them to do this for you, how do you expect to 
get them to reconfigure your named.conf to allow version.bind queries?

I know that having the BIND version available by querying is nice, but it is 
also possible to configure this information to report bogus information in a 
format that would appear to be legitimate.  Why "trust" these version.bind 
queries in the first place?  Use the simple solution of asking the 
administrators.  A simple question deserves a simple solution.

Bill Larson

More information about the bind-users mailing list