27 Mar 2003 wardv   » (Journeyer)

DNS

OK, I got curious. I'm trying to figure out what software the 13 root DNS servers run. With this little shell script:

  for i in a b c d e f g h i j k l m;
    do echo $i.root-servers.net; dig +short -c chaos -t txt version.bind
      @$i.ROOT-SERVERS.NET.  | grep -v "^;;" | grep -v "^$" | grep -v ";vers";
  done

One can compile this list:

  a.root-servers.net "VGRS2"
  b.root-servers.net "8.2.5-REL"
  c.root-servers.net "8.3.3-REL"
  d.root-servers.net "8.3.1-REL"
  e.root-servers.net "8.3.3-REL"
  f.root-servers.net "9.2.2rc1"
  g.root-servers.net
  h.root-servers.net "8.3.4-REL" / "9.2.2" (try a couple of runs of the script)
  i.root-servers.net "8.2.3-REL"
  j.root-servers.net "VGRS2"
  k.root-servers.net
  l.root-servers.net "BIND-8.3.1-MA-PATCH-JMB-01"
  m.root-servers.net "8.3.4-REL"

Given that we know that K switched to NSD, we can ask it:

  dig +short -c chaos -t txt version.server @k.root-servers.net
and see:
  "NSD-1.0.2"
That leaves us with one mysterious server, G.

A and J are the Verisign servers, and according to this article they may actually be running the proprietary ATLAS software Verisign developed (why is beyond me given djbdns exists, but hey they are a Big Corporation TM). However, I'm not convinced they actually are.

I used the (crude) dns fingerprinting tool available at darklab.org to look at the size of the packet returned after a query for 127.0.0.1 and 'localhost'. This is what I saw:

A  VGRS2                  104  102
B  8.2.5            ->    111  102
C  8.3.3                  104  102
D  8.3.1                  104  102
E  8.3.3                  104  102
F  9.2.2rc1               104  102
G  ?????                  104  102
H  8.3.4                  104  102
H  9.2.2                  104  102
I  8.2.3                  104  102
J  VGRS2            ->    256  102
K  NSD-1.0.2              104  102
L  8.3.1-MA-PATCH-JMB-01  104  102
M  8.3.4                  104  102
Using ethereal to capture the responses, I looked at the result for the query about 127.0.0.1 only (since all the 'localhost' response have the same size, and the couple I checked said NXDOMAIN). Here is what I found:
  • All servers except B respond with NXDOMAIN, and point to A as authoritative.
  • B kindly tells us that 127.0.0.1 is LOCALHOST, which explains the slightly larger packet it returns. (Dig confirms this with dig @b.root-servers.net PTR 1.0.0.127.in-addr.arpa)
  • J also responds with NXDOMAIN, but returns all root servers except itself as list of authoritative nameservers (!)
  • K returns the authoritative information entirely in lowercase, all other servers respond entirely in uppercase. Potentially a way to distinguish NSD from BIND?

Given all this, my suspicion is that A and G are running BIND 8.x or 9.x. J, however, puzzles me. Maybe it is running that proprietary Verisign software. Maybe just some version of BIND. I guess I need better tools/more time to figure that out.

That is as far as I got. Any insights welcome :) And if you have pointers to better DNS fingerprinting software, I'd be grateful.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!