Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Hide or determine BIND version number

Published: 08-05-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


The BIND nameserver (and many others) return their version number when queried aspecial DNS query. This gives exposure and that is most of the time a bad thing.This tutorial shows you how to query DNS servers for their version and how tostop/change your own BIND server version exposure.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Chaos Query

The following DIG and NSLOOKUP queries will show the version of BIND:

A home router queried with DIG:

dig @192.168.1.1 version.bind txt chaos;; ANSWER SECTION:version.bind.       0   CH  TXT "dnsmasq-2.47"

A Microsoft DNS server queried with nslookup:

nslookup -type=txt -class=chaos version.bind ns1.metaregistrar.nlServer:         ns1.metaregistrar.nlAddress:        81.4.97.217#53version.bind    text = "Served by PowerDNS - http://www.powerdns.com"

What is chaos or CH class you ask? It is/was a network technology, see thewikipedia page for more info.. There is also the HS class, that stands forHesiod.

Hide it in BIND

When running a BIND nameserver, edit your /etc/bind/named.conf.options file(or the config file where you have your options) and add the following option:

options {    [...]    version "Not supported";}

You can of course put whatever you like in there, for example you can spoof aMicrosoft DNS server:

version "Microsoft DNS 6.0.6100 (2AEF76E)";

Or like TransIP does, make it look like your own DNS software:

dig @ns1.transip.nl version.bind txt chaos;; ANSWER SECTION:version.bind.       86400   CH  TXT "TransDNS 2.1.1"

Make sure to reload/restart your BIND servers after the change. Do note that youneed BIND 8.2 or later for this option to work.

db.bind zone

You can also add a .bind zone, this way your queries will also be logged and youcan block possible attempts.

/etc/bind/named.conf.local:

view "chaos" CH {  match-clients { any; };  zone "bind" CH {      type master;      file "db.bind";      allow-update { none; };  };};

/etc/bind/db.bind:

$TTL    3600@       86400       CH   SOA     localhost. root.localhost. (                     2013050801      ; serial                     3600            ; refresh                     3600            ; retry                     604800          ; expiry                     86400 )         ; minimum ;  @                   CH  NS  localhost.version             CH  TXT "Microsoft DNS 6.0.6100 (2AEF76E)" authors             CH  TXT "Raymii.org" 

However this gets complicated very fast, you need to wrap all your other zonesin views as well:

view "default" IN {  match-clients { any; };  [...]};

So it's better to use the above options file.

Tags: bind, dns, dnsmasq, exposure, named, tutorials, version