DNS: How to find out which software a remote DNS server is running

Situation

I know the IP address of a DNS server running in the same network on a machine which I can't maintain.

Question

How can find out more about which software that DNS server uses?

Thanks for your help - if anythings unclear, please leave a comment.

Solution 1:

Many DNS servers are pre-configured with version information in DNS TXT records for the version.bind label in the CHAOS class. If this is the case with yours as well, you could retreive it by running

dig @dns.name.server version.bind chaos txt

Typical answers might include

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.8.1-P1"

or

;; ANSWER SECTION:
version.bind.           1476526080 IN   TXT     "Microsoft DNS 6.1.7600 (1DB04228)"

or

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "dnsmasq-2.47"

Apart from this, tools for DNS fingerprinting exist, fpdns probably being the most advanced one.

Solution 2:

The DNS protocols don't have a discovery mechanism built into them like some other protocols do.

This leaves you with indirect methods, such as port-scanning and shoulder surfing, the use of which is not that advisable. If you need to know, working at the human layer is probably the most effective way to get the answer you want without being perceived as an attacker.