How to find out DNS Server version ?
Bill Larson
wllarso at swcp.com
Fri Nov 13 15:33:47 UTC 2009
Tibo <t.lemaire at tib1.com> said:
> Leonardo Rodrigues a écrit :
> > Tibo escreveu:
> >>
> >> I think I found it : fpdns -f NAMESERVER
> >>
> >> Is it always OK ?
> >
> > No, that's not always OK, because -f option of fpdns relies on the
> > version.bind record, which i explained on my previous message that
> > sometimes cant be queries and other times can fake some false version id.
> >
> > fpdns -f and the dig command i gave you queries exactly the same
> > thing.
> >
> > none of those (which are in fact the sam thing) are 100% reliable for
> > identifying remote dns server versions
> >
> >
> Ok, I think if I tell my people to always let the version and the
> solution with dig would be OK.
You can always define a "view" for the chaos class and only let your
workstation get the results from this version.bind query. Everyone else
would be blocked from obtaining this information.
Many "security" people believe that releasing the bind.version information
is a security issue. They do a "version.bind" query and if they get ANY
answer they fell that this is a problem. I don't agree with them, but I
have given up fighting them on this issue. Most of the time these security
people are outside consultants that management is paying and they have
management's ear with any "findings".
The "fpdns" tool trys to determine the type/version of a DNS server by
sending the server special queries which help to define this information.
Unfortunately, multiple versions of BIND can respond to these special
queries and so only provide a range of version information. Also, I have
seen firewalls which block some of the queries fpdns uses, such as TCP ones,
which make version identification even more difficult and/or impossible.
Another possibility is to ASK the administrators of the other data centers
for this information. All they have to do is run "named -v" to get this
information. If you can't get them to do this for you, how do you expect to
get them to reconfigure your named.conf to allow version.bind queries?
I know that having the BIND version available by querying is nice, but it is
also possible to configure this information to report bogus information in a
format that would appear to be legitimate. Why "trust" these version.bind
queries in the first place? Use the simple solution of asking the
administrators. A simple question deserves a simple solution.
Bill Larson
More information about the bind-users
mailing list