gregbo - 8:15 pm on Apr 19, 2006 (gmt 0)

I have a question--how do those of us, who know nothing about administring servers, determine if our clients, that are on OPEN DNS Servers, need to move to a new host when the host claims they don't have a problem? Is there a test we can perform somewhere to determine if they are on a vulnerable BIND4 or 8?

The best test would be to send traffic to the DNS servers in question testing for the vulnerability, but that might be considered antisocial. A simple test to see if a DNS server is running a particular version is to send a "version.bind" request to it. When using dig, it looks like this:

% dig @a.b.c.d version.bind ch txt

; <<>> DiG 9.3.1 <<>> @a.b.c.d version.bind ch txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 682
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "8.3.3-REL-NOESW"

;; Query time: 220 msec
;; SERVER: a.b.c.d#53(a.b.c.d)
;; WHEN: Wed Apr 19 20:08:04 2006
;; MSG SIZE rcvd: 70

Note that some DNS servers don't provide this information for security purposes.