No subject


Tue Apr 2 00:56:56 UTC 2013 

non-scientific survey of the version.bind string returned
from DNS servers for approximately 500 unscientifically
selected forward domains.

This was approximately a working week after the TSIG
security issue.

At the time I estimated that;

35% of all "DNS servers surveyed" had been patched in one
week.
That a similar proportion were identifiable as vulnerable
from their version string alone (To the TSIG or earlier BIND
vulnerabilities).

I've since realised that I was too optimistic as all
pre-release versions of 8.2.3 were vulnerable AFAIK, so I'd
overestimated the fix rate.

I never finished writing this survey up, but I recall the 80
blanks were further divided by structure. And without doing
a quick recount, I'm pretty sure that BIND clearly has over
70% of the DNS servers, and probably a substantial
proportion of those not answering or sending a spoofed
answer. If pushed I'd say BIND code base DNS servers
probably have over 85%, but that is based on some guessing
and speculation.


Without finishing the report I did come to some conclusions;

BIND 9 hasn't obtained much "market" share.

I was a little surprised not to see more variety. I'd
expected to see more commercial DNS management tools, but
only MetaIP jumps out of the list.

Some important sites run very stale versions of BIND (Not
that I didn't know this before). More administrators patched
BIND than I'd expected (At this point BIND servers weren't
keeling over left and right, like they were two weeks
later).

The study compared "sex sites" to the Keynote Business to
Consumer 40. Without formal statistical tests conclusions
are hard to draw, but the "sex sites" seemed to manage their
DNS servers just as well as the Keynote 40 sites.

When selecting spoofed version strings people show very
little imagination or thought. I personally feel that BIND
shouldn't advertise it's version, but then I feel neither
should MTAs, MUAs, Web Servers, Web Browsers, FTP servers
etc etc. One of the advantages of open protocols is that
what matters is the ability to talk the protocol, and that
implementation detail can (and should be hidden - even if it
makes surveys harder). My recommendation, is if you must
answer a query for "version.bind", then at least give a 24
hour support desk telephone number, e-mail addresses are in
SOA records, and when you have a DNS problem e-mail isn't
always the best tool!

Frequency - String
 80 -
  1 - 10.6.3
  3 - 4.9.6-REL
  1 - 4.9.7
  4 - 4.9.7-REL
  5 - 4.9.7-T1B
  1 - 4.9.8-REL
  1 - 8.1.1.qselect
 30 - 8.1.2
  1 - 8.1.2-T3B
  2 - 8.2.1
  3 - 8.2.2-P3
 65 - 8.2.2-P5
 13 - 8.2.2-P5-NOESW
 17 - 8.2.2-P7
130 - 8.2.3-REL
 10 - 8.2.3-REL-NOESW
  1 - 8.2.3-T4B
  6 - 8.2.3-T5B
  7 - 8.2.3-T6B
  2 - 9.0.0
 10 - 9.1.0
  6 - BIND 8.1.2
  2 - Contact Hostmaster at cw.net
  1 - DNS Pro version 5.7 by FBL Inc.
  4 - FOO beta 0.009
  1 - FOO beta 0.31337
  1 - hello
  2 - LOCAL-000417.114741
  1 - LOCAL-010105.01/05/01M29
  2 - Meta IP/DNS V4.1 - BIND V8.2.2-P6 (Build 4855)
  2 - named 4.9.5-P1 Thu Feb  6 02:19:04 CST
1997\010\009root at darkstar:/tmp/bind-4.9.5-P1/named
  6 - named
4.9.5-Rel+-Monday-11-November-96\010\009GregSchueman-LarryKahn-VirajBais
  3 - named
4.9.6-Rel-Tuesday-24-June-97\010\009GregSchueman-LarryKahn-VirajBais-LeonMcCalla
  4 - Not available
  1 - [not implemented]
  2 - SIN
  2 - Sorry, not today.
  2 - surely you must be joking
  1 - VRSN1 

Can anyone sched some light on;
FOO beta 0.xxx
LOCAL-xxxx
VRSN1
10.6.3

More information about the bind-users mailing list