OK, I got curious. I'm trying to figure out what software the 13 root DNS servers run. With this little shell script:
for i in a b c d e f g h i j k l m; do echo $i.root-servers.net; dig +short -c chaos -t txt version.bind @$i.ROOT-SERVERS.NET. | grep -v "^;;" | grep -v "^$" | grep -v ";vers"; done
One can compile this list:
a.root-servers.net "VGRS2" b.root-servers.net "8.2.5-REL" c.root-servers.net "8.3.3-REL" d.root-servers.net "8.3.1-REL" e.root-servers.net "8.3.3-REL" f.root-servers.net "9.2.2rc1" g.root-servers.net h.root-servers.net "8.3.4-REL" / "9.2.2" (try a couple of runs of the script) i.root-servers.net "8.2.3-REL" j.root-servers.net "VGRS2" k.root-servers.net l.root-servers.net "BIND-8.3.1-MA-PATCH-JMB-01" m.root-servers.net "8.3.4-REL"
Given that we know that K switched to NSD, we can ask it:
dig +short -c chaos -t txt version.server @k.root-servers.netand see:
"NSD-1.0.2"That leaves us with one mysterious server, G.
A and J are the Verisign servers, and according to this article they may actually be running the proprietary ATLAS software Verisign developed (why is beyond me given djbdns exists, but hey they are a Big Corporation TM). However, I'm not convinced they actually are.
I used the (crude) dns fingerprinting tool available at darklab.org to look at the size of the packet returned after a query for 127.0.0.1 and 'localhost'. This is what I saw:
A VGRS2 104 102 B 8.2.5 -> 111 102 C 8.3.3 104 102 D 8.3.1 104 102 E 8.3.3 104 102 F 9.2.2rc1 104 102 G ????? 104 102 H 8.3.4 104 102 H 9.2.2 104 102 I 8.2.3 104 102 J VGRS2 -> 256 102 K NSD-1.0.2 104 102 L 8.3.1-MA-PATCH-JMB-01 104 102 M 8.3.4 104 102Using ethereal to capture the responses, I looked at the result for the query about 127.0.0.1 only (since all the 'localhost' response have the same size, and the couple I checked said NXDOMAIN). Here is what I found:
- All servers except B respond with NXDOMAIN, and point to A as authoritative.
- B kindly tells us that 127.0.0.1 is LOCALHOST, which explains the slightly larger packet it returns. (Dig confirms this with dig @b.root-servers.net PTR 1.0.0.127.in-addr.arpa)
- J also responds with NXDOMAIN, but returns all root servers except itself as list of authoritative nameservers (!)
- K returns the authoritative information entirely in lowercase, all other servers respond entirely in uppercase. Potentially a way to distinguish NSD from BIND?
Given all this, my suspicion is that A and G are running BIND 8.x or 9.x. J, however, puzzles me. Maybe it is running that proprietary Verisign software. Maybe just some version of BIND. I guess I need better tools/more time to figure that out.
That is as far as I got. Any insights welcome :) And if you have pointers to better DNS fingerprinting software, I'd be grateful.