How does one banner grab DNS? I'm able to banner grab other services such as HTTP/FTP/SMTP but for DNS it's not immediately obvious.
Typically for HTTP I use nc with HEAD / HTTP/1.1 {ENTER}{ENTER}.
I had assumed that it'd be possible with DNS if you know the initial structure of the query, but I can't seem to find documentation on this.
DNS does not have a "banner" to grab. The closest equivalent is a magic query for version.bind. CHAOS TXT which will work on most BIND nameservers.
You can perform this query using dig:
dig version.bind CHAOS TXT
If that does not work you can use fingerprinting techniques to determine the remote server's version -- the fpdns tool is one option for that, but there are others.
