0

The Shodan search tool, for some DNS servers, shows a Resolver name value for what it finds on UDP port 53. For example, 80.82.117.140 shows Resolver name: server402.xenserve.com and 103.81.27.118 reports Resolver name: smartway-h7.

I have searched the web as well as the man pages for dig and nslookup, as well as searching the output of dig @ip_of_dns_server, but I cannot figure out how to retrieve the resolver name for a DNS server.

How can I query the resolver name myself using Linux command-line tools?

bitinerant
  • 180
  • 5
  • 2
    PTR record on the IP shows `ns1.402.xenserve.com.` as name. But how is this useful in any way? When clients configure DNS servers they obviously put their IP, not their names, otherwise there is a circular loop. – Patrick Mevzek Jan 04 '23 at 21:12
  • Thank you. However, this doesn't explain where Shodan gets `server402.xenserve.com`. I'm trying to figure out how to configure and verify the resolver name in BIND9 for my own server, since--useful or not--it is apparently publicly visible. – bitinerant Jan 05 '23 at 12:07
  • 1
    `server402.xenserve.com` does also resolve to same IP, so if someone maintains a database of forward queries results, after some time to learn data, a reverse can be found by just poking in it. Or the `PTR` record changed "recently". – Patrick Mevzek Jan 05 '23 at 13:29
  • I added an example above where the resolver name is not even a valid domain. – bitinerant Jan 05 '23 at 16:30
  • `dig -x 103.81.27.118` returns NXDOMAIN from APnic, so whatever name you get comes from "elsewhere" and not the DNS (but there is also no guarantee that a PTR record follows guidelines for a name, nor that that name does in fact resolve, and resolve to the original IP address; for most uses `PTR` records are useless today). – Patrick Mevzek Jan 05 '23 at 17:43

1 Answers1

1

I finally found it. It is part of the Chaos (CH) class DNS record. For the examples given above, these queries return the information I was looking for:

dig @80.82.117.140 hostname.bind TXT CHAOS +short
dig @103.81.27.118 hostname.bind TXT CHAOS +short

These commands display "server402.xenserve.com" and "smartway-h7" respectively, the exact values that Shodan displays as "Resolver name". This is normally the hostname of the DNS server.

See also:

bitinerant
  • 180
  • 5