DNS
OK, I got curious. I'm trying to figure out what software the 13 root DNS servers run. With this little shell script:
for i in a b c d e f g h i j k l m;
do echo $i.root-servers.net; dig +short -c chaos -t txt version.bind
@$i.ROOT-SERVERS.NET. | grep -v "^;;" | grep -v "^$" | grep -v ";vers";
done
One can compile this list:
a.root-servers.net "VGRS2"
b.root-servers.net "8.2.5-REL"
c.root-servers.net "8.3.3-REL"
d.root-servers.net "8.3.1-REL"
e.root-servers.net "8.3.3-REL"
f.root-servers.net "9.2.2rc1"
g.root-servers.net
h.root-servers.net "8.3.4-REL" / "9.2.2" (try a couple of runs of the script)
i.root-servers.net "8.2.3-REL"
j.root-servers.net "VGRS2"
k.root-servers.net
l.root-servers.net "BIND-8.3.1-MA-PATCH-JMB-01"
m.root-servers.net "8.3.4-REL"
Given that we know that K switched to NSD, we can ask it:
dig +short -c chaos -t txt version.server @k.root-servers.net
and see:
"NSD-1.0.2"
That leaves us with one mysterious server, G.
A and J are the Verisign servers, and according to this article they may actually
be running the proprietary ATLAS software Verisign developed (why is beyond me given djbdns exists, but hey they are a Big Corporation TM). However, I'm not convinced they actually are.
I used the (crude) dns fingerprinting tool available at darklab.org to look at the size of the
packet returned after a query for 127.0.0.1 and 'localhost'. This is what I
saw:
A VGRS2 104 102
B 8.2.5 -> 111 102
C 8.3.3 104 102
D 8.3.1 104 102
E 8.3.3 104 102
F 9.2.2rc1 104 102
G ????? 104 102
H 8.3.4 104 102
H 9.2.2 104 102
I 8.2.3 104 102
J VGRS2 -> 256 102
K NSD-1.0.2 104 102
L 8.3.1-MA-PATCH-JMB-01 104 102
M 8.3.4 104 102
Using ethereal to capture the responses, I looked at the result for the
query about 127.0.0.1 only (since all the 'localhost' response have the same
size, and the couple I checked said NXDOMAIN). Here is what I found:
-
All servers except B respond with NXDOMAIN, and point to A as authoritative.
-
B kindly tells us that 127.0.0.1 is LOCALHOST, which explains the slightly
larger packet it returns. (Dig confirms this with
dig @b.root-servers.net PTR 1.0.0.127.in-addr.arpa)
-
J also responds with NXDOMAIN, but returns all root servers except itself as
list of authoritative nameservers (!)
-
K returns the authoritative information entirely in lowercase, all other
servers respond entirely in uppercase. Potentially a way to distinguish NSD
from BIND?
Given all this, my suspicion is that A and G are running BIND 8.x or 9.x. J,
however, puzzles me. Maybe it is running that proprietary Verisign software.
Maybe just some version of BIND. I guess I need better tools/more time to
figure that out.
That is as far as I got. Any insights welcome :) And if you have pointers to
better DNS fingerprinting software, I'd be grateful.