How To Hide Your BIND Version

Posted on in Software

By default, a BIND DNS server will report which version it is running to anyone that's interested. All it takes is a simple lookup of the version.bind text record in the chaos class of your server. Check this out:

Skadi:~ slap$ dig version.bind txt chaos @localhost

; <<>> DiG 9.3.2 <<>> version.bind txt chaos @localhost
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11150
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.3.2"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 38 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 29 11:41:32 2007
;; MSG SIZE  rcvd: 62

As you can see in the Answer Section, the version of BIND I am running on my local machine is 9.3.2. Would-be attackers can use this information to target their attacks to the specific version of BIND I am running. Although we can't stop the would-be attackers from targeting our name server, we can at least hide the version of BIND we are running and force the attacker to try every trick in the book.

The first thing we need to do is add "version "<HIDDEN>";" to the options{}; portion of our named.conf configuration file. The text between the angle brackets (\< >) can be whatever you like. I chose "HIDDEN", but "BUZZ OFF!" works fine, too. Here's what my options{}; section looks like after the change.

options {
  directory "/var/named";
  version   "<HIDDEN>";
};

After saving the configuration, reload it with `rndc reconfig` and test it again. Here's my new output after making the change.

Skadi:~ slap$ dig version.bind txt chaos @localhost

; <<>> DiG 9.3.2 <<>> version.bind txt chaos @localhost
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21068
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "<HIDDEN>"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 29 11:56:50 2007
;; MSG SIZE  rcvd: 65

As you can see, the version of BIND I'm running is now "\<HIDDEN>" from view!

Related Reading:

</li>

answer_section bind_dns_server chaos flags global_options localhost msec ns_version opcode qr query_status query_time question_section servers server_check skadi

My Bookshelf

Reading Now

Other Stuff