How to identify remote DNS server’s software name and its version?

Updated on September 3, 2017

As we started writing more about DNS, our readers started asking more queries. One of our regular reader Mr. Fedrick sent us query as below

I know the IP address of DNS server running on our office network, but is it possible to get more information about it? Such as the software used to run the DNS server, its version etc...? I'm using Linux- Fedrick

Answer:

Yes! You can send a query to DNS server and ask for its software name and version. To do that, run the below command on your terminal.

DNS Basics

The format goes like this…

$ dig @<dns_server_ip_address> version.bind chaos txt

For example,

dig @10.180.8.115 version.bind chaos txt

Sample output:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.180.8.115 version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37376
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT "9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6"

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 2 msec
;; SERVER: 10.180.8.115#53(10.180.8.115)
;; WHEN: Fri Oct 18 16:20:20 2013
;; MSG SIZE rcvd: 95

In the output, checkout for the line,

;; ANSWER SECTION:
version.bind. 0 CH TXT "9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6"

Similar results from other DNS servers might look as below,

;; ANSWER SECTION:
version.bind.           1896586030 IN   TXT     "Microsoft DNS 6.1.7100 (1DB1)"

Or

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "dnsmasq-1.6"

How does the clients able to get DNS version information?

Most of the DNS servers are configured with version information DNS TXT records in CHAOS class for version.bind label.

Why I don’t get DNS version information using the above command?

As I told earlier, most of the DNS servers are configured with version information DNS TXT records and few others hide such details for security reason. Actually, every DNS server should hide version information to keep attackers away. Checkout this tutorial to learn how to hide DNS version information from resolvers.

Any other commands available other than dig?

Yes! There are plenty of tools exist for DNS fingerprinting. For example, fpdns is a popular DNS fingerprinting tool.

You might also want to read: Should you enable Recursion on your DNS? It’s vulnerable!

Was this article helpful?

Related Articles

Leave a Comment