How to find out DNS Server version ?
Tibo
I have a little problem :
We have 4 little datacenters over the world.
I would like to check if all DNS servers are up to date but only people
responsible of a datacenter can access their servers for security reasons.
I know some tools on the net can do that but it's not easy for me and
I'd like to automatise all of that.
I try with fingerprint (fpdns) but answer is always :
"BIND 9.2.3rc1 -- 9.4.0a0."
Do you have any solutions for me ?
Thanks in advance,
Thibaut
Tibo
I think I found it : fpdns -f NAMESERVER
Is it always OK ?
Leonardo Rodrigues
you can always try:
dig @dns.server.to.query version.bind chaos txt
which would return something like:
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "djbdns 1.05"
(sorry for the djbdns .... i found no bind that allows that for
examplifying it :) )
the big problem here is that DNS servers, quite usually, do not
accept this queries or, in some other quite usual configuration, change
the text for some generic string, which can be easily done in BINDs for
example:
;; ANSWER SECTION:
version.bind. 0 CH TXT "version goes here"
there's absolutely no guaranteed way of getting the correct version
running on DNSs server you have no admin access. The only guaranteed to
work 100% of the simes still seems to be the 'named -v' on the machine's
console.
Tibo escreveu:
> Hello !
>
> I have a little problem :
>
> We have 4 little datacenters over the world.
> I would like to check if all DNS servers are up to date but only people
> responsible of a datacenter can access their servers for security
> reasons.
> I know some tools on the net can do that but it's not easy for me and
> I'd like to automatise all of that.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gert...@solutti.com.br
My SPAMTRAP, do not email it
Marc Riera
You can ask them to run this:
dig -t txt -c chaos VERSION.BIND @<SERVER_IP>
or my be you are lucky and this web is usefull for you:
http://www.howismydns.com/tools.php
good luck.
Joan Marc Riera Duocastella
Barcelona Media - Centre d'Innovació
Av. Diagonal, 177, planta 9 08018 - BARCELONA
Telèfon +34 93 238 14 00 Fax +34 93 309 31 88
www.barcelonamedia.org
-----Mensaje original-----
De: bind-user...@lists.isc.org [mailto:bind-user...@lists.isc.org] En nombre de Tibo
Enviado el: viernes, 13 de noviembre de 2009 15:21
Para: comp-protoc...@isc.org
Asunto: How to find out DNS Server version ?
Hello !
I have a little problem :
We have 4 little datacenters over the world.
I would like to check if all DNS servers are up to date but only people
responsible of a datacenter can access their servers for security reasons.
I know some tools on the net can do that but it's not easy for me and
I'd like to automatise all of that.
I try with fingerprint (fpdns) but answer is always :
"BIND 9.2.3rc1 -- 9.4.0a0."
Do you have any solutions for me ?
Thanks in advance,
Thibaut
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Leonardo Rodrigues
>
> I think I found it : fpdns -f NAMESERVER
>
> Is it always OK ?
No, that's not always OK, because -f option of fpdns relies on the
version.bind record, which i explained on my previous message that
sometimes cant be queries and other times can fake some false version id.
fpdns -f and the dig command i gave you queries exactly the same thing.
none of those (which are in fact the sam thing) are 100% reliable for
identifying remote dns server versions
Tibo
> Tibo escreveu:
>>
>> I think I found it : fpdns -f NAMESERVER
>>
>> Is it always OK ?
>
> No, that's not always OK, because -f option of fpdns relies on the
> version.bind record, which i explained on my previous message that
> sometimes cant be queries and other times can fake some false version id.
>
> fpdns -f and the dig command i gave you queries exactly the same
> thing.
>
> none of those (which are in fact the sam thing) are 100% reliable for
> identifying remote dns server versions
>
>
solution with dig would be OK.
Thanks a lot !
Bill Larson
> Leonardo Rodrigues a �crit :
> > Tibo escreveu:
> >>
> >> I think I found it : fpdns -f NAMESERVER
> >>
> >> Is it always OK ?
> >
> > No, that's not always OK, because -f option of fpdns relies on the
> > version.bind record, which i explained on my previous message that
> > sometimes cant be queries and other times can fake some false version id.
> >
> > fpdns -f and the dig command i gave you queries exactly the same
> > thing.
> >
> > none of those (which are in fact the sam thing) are 100% reliable for
> > identifying remote dns server versions
> >
> >
> Ok, I think if I tell my people to always let the version and the
> solution with dig would be OK.
You can always define a "view" for the chaos class and only let your
workstation get the results from this version.bind query. Everyone else
would be blocked from obtaining this information.
Many "security" people believe that releasing the bind.version information
is a security issue. They do a "version.bind" query and if they get ANY
answer they fell that this is a problem. I don't agree with them, but I
have given up fighting them on this issue. Most of the time these security
people are outside consultants that management is paying and they have
management's ear with any "findings".
The "fpdns" tool trys to determine the type/version of a DNS server by
sending the server special queries which help to define this information.
Unfortunately, multiple versions of BIND can respond to these special
queries and so only provide a range of version information. Also, I have
seen firewalls which block some of the queries fpdns uses, such as TCP ones,
which make version identification even more difficult and/or impossible.
Another possibility is to ASK the administrators of the other data centers
for this information. All they have to do is run "named -v" to get this
information. If you can't get them to do this for you, how do you expect to
get them to reconfigure your named.conf to allow version.bind queries?
I know that having the BIND version available by querying is nice, but it is
also possible to configure this information to report bogus information in a
format that would appear to be legitimate. Why "trust" these version.bind
queries in the first place? Use the simple solution of asking the
administrators. A simple question deserves a simple solution.
Bill Larson
Khusro Jaleel
>
> We have 4 little datacenters over the world.
> I would like to check if all DNS servers are up to date but only people
> responsible of a datacenter can access their servers for security reasons.
> I know some tools on the net can do that but it's not easy for me and
> I'd like to automatise all of that.
How about just using an ACL for rndc on each nameserver which allows
only your local network to run "rndc status" against each nameserver?
From the output of that, the first line will give you the version number.
The DNS server admins will also have to give you an rndc key which you
will use on your local system to connect to the server. This is referenced
below as "my-rndc-key.rndc".
For example, you could have the following in each nameserver's named.conf:
=================================
/*
* ACL for controlling slave servers
*/
acl "allowed-rndc" {
127.0.0.1; /* loopback */
192.168.1.0/24; /* localnet */
x.x.x.x/24; /* any network */
};
/*
* Control socket
*/
controls {
inet * /* this can be as restrictive as desired */
allow { allowed-rndc; }
keys { my-rndc-key.rndc; };
};
=================================
Then, from your "x.x.x.x/24" network, you can run the following:
# rndc -s ip-of-dns-server-here status
This will give you the following output:
=================================
version: 9.6.1-P2
number of zones: 5
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
=================================
You can then get the version number from the first line. Hope this helps.
Thanks,
Khusro