---
title: "How do I keep people from looking up the BIND server version?"
slug: "aa-00307"
description: "By default, BIND servers answer a query with information about the server version. This can be overridden."
updated: 2021-05-25T20:49:00Z
published: 2021-05-25T20:49:00Z
canonical: "kb.isc.org/aa-00307"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# How do I restrict people from looking up the server version?

By default, BIND servers will answer a query in the chaos domain for a text record named "version.bind" (for example, `dig @127.0.0.1 ch txt version.bind`) with a string containing information about the server.

By default, `named` answers this query with the software version number of the server. However, the answer is customizable by the operator: if you wish to specify a different answer, put a `version` option containing something other than the real version in the "options" section of **named.conf**, e.g. `version "none of your business";` or `version none;` (where "none" is a special value which prevents the server from answering at all).

**Note:** many operators choose to do this, feeling that providing unnecessary information to attackers can only be harmful. However, this does not prevent attacks and may impede external diagnosis of problems with your server. Also, it is often possible to "fingerprint" name servers to determine their version from the way they respond to specific queries, so suppressing the actual version string may not prevent an attacker from deducing your version from other clues.

It is also possible to deny or rate-limit access to `version.bind` and other built-in chaos records by re-defining the built-in chaos zones `version.bind`, `hostname.bind`, `authors.bind`, and `id.server` in a new chaos view:

```
    view "override_bind" chaos { 

       # Prevent use of this zone in DNS amplified reflection DoS attacks
       rate-limit {
            responses-per-second 3;
            slip 0;
            min-table-size 10;
       };
       
       zone "version.bind" chaos {
            type primary;
            database "_builtin version";
       };

       zone "hostname.bind" chaos {
            type primary;
            database "_builtin hostname";
       };

       zone "authors.bind" chaos {
            type primary;
            database "_builtin authors";
       };

       zone "id.server" chaos {
            type primary;
            database "_builtin id";
       };
    };
```

The full configuration of the built-in "_bind" view can be seen in bin/named/config.c.