The purpose of this survey, commissioned by Infoblox, is to estimate the number of nameservers on the Internet and which software they are running. To answer these questions we sampled a subset of the IPv4 address space.
Since we don't want to probe addresses that are not in use, we began with a snapshot of the global routing table taken from the Route Views project. Enumerating the advertized address space (and eliminating addresses that end with .0 and .255) results in 1,392,380,768 addresses. Next we randomly selected 5% of these for our survey, leaving us with 69,630,547 addresses to probe.
We sent a simple DNS query to each probe address. The query asks for the IPv4 address of a.root-servers.net. A response indicates that there is a DNS server listening on the probe address. We did not implement timeouts and retransmission, and our query has the Recursion Desired bit cleared. Queries and responses were logged with tcpdump. The following table shows how many queries were actually sent out:
|Addresses in probe list||69,630,547||100%|
|Queries sent out||69,223,535||99.4%|
|"no route to host" errors||324,930||0.5%|
|Queries unaccounted for||82,082||0.1%|
The following table shows the number of replies received:
|Addresses sending replies||377,117||94.4%|
Note that some replies were repeated even though we sent only one query. In one case we received 311 replies from a single address, all within 300 milliseconds. We beleive such may be hosts set up as DoS "amplifiers." A single query with a forged source address results in hundreds of reply packets sent to a victim.
Based on these numbers we can estimate that there about 7,500,000 nameservers running on the Internet.
For each address that sent a reply, we attempted to determine its software and version with two techniques. The first is to send a version.bind query to the address. The second is to use the fpdns tool to fingerprint the server.
The version.bind technique is simple because it is a single query/response. A BIND nameserver answers the query honestly unless the administrator has configured it to return a specific answer. Many people feel safer by obscuring the nameserver version string. Here are some of the interesting answers we received:
0x72 0x6d 0x20 0x2d 0x72 0x66 0x20 0x2f 310, btw we will consider finger print attempts malicious attempts
Secured !!! Please go away idiot lamer! ] A good version A secure version BIND_or_not_BIND Bind. James Bind. 007's the name Do you really need to know this. If so please call me looking it up here is rude Don't get too excited -- it's only a daemon Function Prohibited Beeioch! G0-AWAY-EVIL-HAX0RZ Go away hacker!!! You don't need that info. I wrote this message because I need a life. Can you guess why you found it? My version is so secret that I even don't know what I'm running on No chaos for you! Security trought obscurity? No shared this version. Shrek DNS Server. Mean Green Naming Machine This BIND is Non Version
Since the version.bind answer cannot always be trusted, we also use fpdns to try to determine the software version. fpdns sends a number of different queries to a nameserver and uses known quirks and behavior to deduce the version. One downside is that fpdns can not always give specific answers. For example, it might say the software is "BIND 8.3.0-RC1 -- 8.4.4"
We give the fpdns result priority over version.bind if both return an answer. Otherwise, we assume the version.bind answer is correct if it looks like a version string. The following table shows the breakdown of common software and versions based on our analysis. You can also see the full table with all software versions found.
|Microsoft Windows 2000||16,362||6.44%|
|Microsoft Windows 2003||9013||3.55%|
|Microsoft Windows NT4||1407||0.55%|
Note that the above percentages include only those nameservers for which we could determine a version. In fact we could not determine the version for alomst 33% of the nameservers that we found.
© 2020 The Measurement Factory.