Skip to end of metadata
Go to start of metadata

Symptom:

When sending a query to a BIND name server, asking for the domain name “version.bind” as a TXT record in the CHaos class, the BIND name server by default will return a DNS answer containing its real version number. 

Problem:

Can this version number be hidden?

$ dig @192.0.2.10 ch txt version.bind
; <<>> DiG 9.6.0-APPLE-P2 <<>> @strotmann.de ch txt version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55931
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT "9.7.0-P2"

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 42 msec
;; SERVER: 192.0.2.10#53(192.0.2.10)
;; WHEN: Mon May 31 18:40:48 2010
;; MSG SIZE rcvd: 57

This information might be used by attackers to get information on open security issues for this version of BIND.
 

Solution

Quick Solution:


Enter a “version” statement in your BIND Configuration file. Men & Mice Suite users add the statement in the file /var/named/conf/options (or its equivalent - the /var/named part of the path might be different):
options {
  [....]
version "your guess";
[....]
}

More Complete Solution (BIND 9 only):


Create a dedicated view for the CHaos class, with a zone “version.bind”, and provide your own “TXT” record in this zone, as described in the Secure BIND Template by Rob Thomas.

With this solution, you will be able to track in your logfiles who is querying for the version of your nameserver:

Example:
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.

view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." {
type hint;
file "/dev/null";
};

zone "bind" {
type master;
file "master/bind.zone";

allow-query { trusted; };
allow-transfer { none; };
};
};
The “bind.zone” zone file for the BIND zone to log query attempts and change the returned strings for “version.bind” and “authors.bind”:
$TTL 1D
$ORIGIN bind.
@ CHAOS SOA localhost. root.localhost. (
                   2007052501 ; serial
                   1d ; refresh
                   2h ; retry
                   7W ; expiry
                   2H ) ; negative TTL
@ CHAOS NS localhost.
version.bind. CHAOS TXT "please guess"
authors.bind. CHAOS TXT "are nice guys"

Note that it may be reasonable to provide correct answers to internal users. The examples above, taken together,
will show bogus information to internal users and no information at all to external users.


Note also that there are other *.bind TXT records that you may want to define, such as hostname.bind.

These changes are also possible when using the Men & Mice Suite, however they should be done with full understanding of the structure of BIND configuration files. See the article Setting Up Views For Use With Men & Mice Suite.

Note:

Hiding your name server’s version number this way does not increase security by much. Attackers can still get the approximate version of your name server by using DNS fingerprinting tools like fpdns.