Fingerprinting DNS servers authoritative for the top 1 million domains
Frederic Cambus November 27, 2014 [DNS]As an experiment, I've been using fpdns (version 0.10.0 on FreeBSD/amd64) to fingerprint DNS servers authoritative for the top 1 million domains (according to Alexa).
At first, I had plans to use adnshost to resolve name servers first and then feed the resolved list to fpdns, in order to speed up things and avoid fingerprinting the same host several times. Unfortunately, it seems adnshost doesn't work that well on large batches and I experienced numerous timeouts and crashes.
Extracting a list of domains from the CSV file
wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
unzip top-1m.csv.zip
cut -d "," -f 2 top-1m.csv > domains.txt
As the fingerprinting process will require resolving name servers for each domain in the list, I will be using a local Unbound instance in order to avoid hitting my ISP name servers too aggressively.
Configuring the system to use Unbound as local resolver
After adding our local resolver to resolv.conf:
echo "nameserver 127.0.0.1" > /etc/resolv.conf
We can verify that we are indeed using our Unbound instance:
dig version.bind CH txt +short
"unbound 1.4.22"
Fingerprinting using fpdns
Here is a list of fpdns options we will be using:
-D (check all authoritative servers for Domain)
-F nchild (maximum forked processes) [10]
Starting fpdns with 128 child processes:
fpdns -D -F 128 - < domains.txt > fingerprints.txt
Processing output and aggregating results
First, we aggregate results by IP addresses in order to avoid counting results several times (a name server can be authoritative for several different domains):
cut -d ',' -f 2 < fingerprints.txt | sort | uniq > results.txt
We then aggregate by software and count occurrences:
awk -F'[)][:] ' '{print $2}' < results.txt | sort | uniq -c
I used awk here instead of cut as the latest doesn't allow using more than one character as a delimiter.
Here are the results:
6 sheerdns [Old Rules]
2 3Com Office Connect Remote [Old Rules]
57 DJ Bernstein TinyDNS 1.04 [Old Rules]
5199 DJ Bernstein TinyDNS 1.05 [Old Rules]
13 Dan Kaminsky nomde DNS tunnel [Old Rules]
3 Fasthosts Envisage DNS server [Old Rules]
2 Meilof Veeningen Posadis [Old Rules]
2 Men & Mice QuickDNS for MacOS Classic [Old Rules]
4 Michael Tokarev rbldnsd [Old Rules]
29 Microsoft ? [Old Rules]
387 Microsoft Windows DNS 2000 [New Rules]
50 Microsoft Windows DNS 2000 [Old Rules]
88 Microsoft Windows DNS 2003 R2 [New Rules]
6373 Microsoft Windows DNS 2003 [New Rules]
87 Microsoft Windows DNS 2003 [Old Rules]
1278 Microsoft Windows DNS 2008 R2 [New Rules]
25 Microsoft Windows DNS 2008 [New Rules]
2 Microsoft Windows DNS NT4 [Old Rules]
12 NLnetLabs NSD 1.0 alpha [Old Rules]
12046 NLnetLabs NSD 3.1.0 -- 3.2.8 [New Rules]
6 NLnetLabs Unbound 1.4.10 -- 1.4.12 [New Rules]
220751 No match found
25 Simon Kelley dnsmasq [Old Rules]
18 Sourceforge JDNSS [Old Rules]
1 TZO Tzolkin DNS [Old Rules]
4863 Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules]
88 Unlogic Eagle DNS 1.1.1 [New Rules]
18 ValidStream ValidDNS [Old Rules]
1 WinGate Wingate DNS [Old Rules]
1 XBILL jnamed (dnsjava) [Old Rules]
40 Yutaka Sato DeleGate DNS [Old Rules]
13 javaprofessionals javadns/jdns [Old Rules]
As often with these kind of experiments, results aren't really exploitable to produce reliable statistics: apparently, it seems that BIND has totally disappeared from the Internet ;)
However, I believe the process is still useful and demonstrates how easy it can be to quickly produce DNS surveys using simple UNIX tools.