Skip to main content Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Hide or determine BIND version number

Published: 08-05-2013 | Author: Remy van Elst | Text only version of this article

Table of Contents

The BIND nameserver (and many others) return their version number when queried a special DNS query. This gives exposure and that is most of the time a bad thing. This tutorial shows you how to query DNS servers for their version and how to stop/change your own BIND server version exposure.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

Chaos Query

The following DIG and NSLOOKUP queries will show the version of BIND:

A home router queried with DIG:

dig @ version.bind txt chaos
version.bind.       0   CH  TXT "dnsmasq-2.47"

A Microsoft DNS server queried with nslookup:

nslookup -type=txt -class=chaos version.bind

version.bind    text = "Served by PowerDNS -"

What is chaos or CH class you ask? It is/was a network technology, see the wikipedia page for more info.. There is also the HS class, that stands for Hesiod.

Hide it in BIND

When running a BIND nameserver, edit your /etc/bind/named.conf.options file (or the config file where you have your options) and add the following option:

options {
    version "Not supported";

You can of course put whatever you like in there, for example you can spoof a Microsoft DNS server:

version "Microsoft DNS 6.0.6100 (2AEF76E)";

Or like TransIP does, make it look like your own DNS software:

dig version.bind txt chaos

version.bind.       86400   CH  TXT "TransDNS 2.1.1"

Make sure to reload/restart your BIND servers after the change. Do note that you need BIND 8.2 or later for this option to work.

db.bind zone

You can also add a .bind zone, this way your queries will also be logged and you can block possible attempts.


view "chaos" CH {
  match-clients { any; };
  zone "bind" CH {
      type master;
      file "db.bind";
      allow-update { none; };


$TTL    3600
@       86400       CH   SOA     localhost. root.localhost. ( 
                    2013050801      ; serial 
                    3600            ; refresh 
                    3600            ; retry 
                    604800          ; expiry 
                    86400 )         ; minimum 
@                   CH  NS  localhost.

version             CH  TXT "Microsoft DNS 6.0.6100 (2AEF76E)" 
authors             CH  TXT "" 

However this gets complicated very fast, you need to wrap all your other zones in views as well:

view "default" IN {
  match-clients { any; };

So it's better to use the above options file.

Tags: bind , dns , dnsmasq , exposure , named , tutorials , version