DNS SURVEY: APRIL 2005

The purpose of this survey, commissioned by Infoblox, is to estimate the number of nameservers on the Internet and which software they are running. To answer these questions we sampled a subset of the IPv4 address space.

Since we don't want to probe addresses that are not in use, we began with a snapshot of the global routing table taken from the Route Views project. Enumerating the advertized address space (and eliminating addresses that end with .0 and .255) results in 1,392,380,768 addresses. Next we randomly selected 5% of these for our survey, leaving us with 69,630,547 addresses to probe.

Queries

We sent a simple DNS query to each probe address. The query asks for the IPv4 address of a.root-servers.net. A response indicates that there is a DNS server listening on the probe address. We did not implement timeouts and retransmission, and our query has the Recursion Desired bit cleared. Queries and responses were logged with tcpdump. The following table shows how many queries were actually sent out:

Addresses in probe list	69,630,547	100%
Queries sent out	69,223,535	99.4%
"no route to host" errors	324,930	0.5%
Queries unaccounted for	82,082	0.1%

Replies

The following table shows the number of replies received:

Replies received	399,591	100%
Addresses sending replies	377,117	94.4%
Repeated replies	22,474	5.6%

Note that some replies were repeated even though we sent only one query. In one case we received 311 replies from a single address, all within 300 milliseconds. We beleive such may be hosts set up as DoS "amplifiers." A single query with a forged source address results in hundreds of reply packets sent to a victim.

Based on these numbers we can estimate that there about 7,500,000 nameservers running on the Internet.

Software Versions

For each address that sent a reply, we attempted to determine its software and version with two techniques. The first is to send a version.bind query to the address. The second is to use the fpdns tool to fingerprint the server.

The version.bind technique is simple because it is a single query/response. A BIND nameserver answers the query honestly unless the administrator has configured it to return a specific answer. Many people feel safer by obscuring the nameserver version string. Here are some of the interesting answers we received:

0x72 0x6d 0x20 0x2d 0x72 0x66 0x20 0x2f
310, btw we will consider finger print attempts malicious attempts
Secured !!! Please go away idiot lamer! ]
A good version
A secure version
BIND_or_not_BIND
Bind. James Bind. 007's the name
Do you really need to know this. If so please call me looking it up here is rude
Don't get too excited -- it's only a daemon
Function Prohibited Beeioch!
G0-AWAY-EVIL-HAX0RZ
Go away hacker!!!  You don't need that info.
I wrote this message because I need a life.  Can you guess why you found it?
My version is so secret that I even don't know what I'm running on
No chaos for you!
Security trought obscurity? No shared this version.
Shrek DNS Server.  Mean Green Naming Machine
This BIND is Non Version

Since the version.bind answer cannot always be trusted, we also use fpdns to try to determine the software version. fpdns sends a number of different queries to a nameserver and uses known quirks and behavior to deduce the version. One downside is that fpdns can not always give specific answers. For example, it might say the software is "BIND 8.3.0-RC1 -- 8.4.4"

We give the fpdns result priority over version.bind if both return an answer. Otherwise, we assume the version.bind answer is correct if it looks like a version string. The following table shows the breakdown of common software and versions based on our analysis. You can also see the full table with all software versions found.

BIND 9	145,091	57.13%
unknown	123,161	-
BIND 8	51,033	20.10%
Nominum CNS	18,995	7.48%
Microsoft Windows 2000	16,362	6.44%
Microsoft Windows 2003	9013	3.55%
BIND 4	2400	0.95%
Cisco CNR	2130	0.84%
Microsoft Windows NT4	1407	0.55%
Other	7525	2.96%

Note that the above percentages include only those nameservers for which we could determine a version. In fact we could not determine the version for alomst 33% of the nameservers that we found.