Re: DNS Version check.

From: Nexus (nexusat_private-way.co.uk)
Date: Thu Jun 06 2002 - 03:20:57 PDT

  • Next message: b0iler _: "Re: Exploiting Buffer Overflows in CGI Scripts"

    If you are using perl then Net::DNS by Mike Fuhr
    http://www.fuhr.org/~mfuhr/perldns/ is the way to go and use something
    similar to :
    
     $packet = $res->query("version.bind","TXT","CH");
    
    As has been said, this string can be changed from the default, or even it's
    request can be refused.   That said, you can also query servers for
    "authors.bind" to possibly fingerprint BIND versions of 9.x.x - this is a CH
    class TXT record again - don't think there is a way to query for the version
    string without using the CH class.   For completeness as folks have
    mentioned doing this with dig, you can do it with nslookup as well, both as
    a one-liner and interactively :
    
    [nexus@wulfgar nexus]$ nslookup -q=txt -class=chaos version.bind 192.168.1.1
    Server:  ns1.example.com
    Address:  192.168.1.1
    
    VERSION.BIND    text = "8.2.3-REL-NOESW"
    [nexus@wulfgar nexus]$ nslookup
    Default Server:  ns1.example.com
    Address:  192.168.1.1
    
    > set class=chaos
    > set type=txt
    > version.bind
    Server:  ns1.example.com
    Address:  192.168.1.1
    
    VERSION.BIND    text = "8.2.3-REL-NOESW"
    > exit
    [nexus@wulfgar nexus]$
    
    FWIW, there are other ways to fingerprint DNS servers even when the string
    is not present by looking at the RCODE reply from the server.
    For example, An RCODE reply of 4, "Not Implemented" is consistent with the
    MS DNS servers, RCODE of 1, "Format String Error" is consistent with Dan
    Bernstein's DJBDNS/TinyDNS and a reply of 2, "Internal Server Error" was
    found to be the response from Novell BorderManager.
    Other ways of doing this are WIP atm ;-)
    
    Cheers.
    
    ----- Original Message -----
    From: "Vjay LaRosa" <vjaylat_private>
    To: <vuln-devat_private>
    Sent: Wednesday, June 05, 2002 10:59 PM
    Subject: DNS Version check.
    
    
    > Hello,
    >
    > Does any one know if it is possible to request the version of bind a
    > server is running? I would like to write a quick perl script to scan my
    > network to check all of the versions. Thanks!
    >
    > vjl
    >
    >
    >
    > --
    >   V.Jay LaRosa EMC Corporation
    >   Systems Administrator 171 South Street
    >   (508)435-1000 ext 14957 Hopkinton, MA 01748
    >   (508)497-8082 fax www.emc.com
    >
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 08:48:22 PDT