How do I restrict only remote users from looking up the server version?
  • 11 Jan 2021
  • 1 Minute To Read
  • Contributors
  • Print
  • Share
  • Dark
    Light

How do I restrict only remote users from looking up the server version?

  • Print
  • Share
  • Dark
    Light

BIND has a built-in _bind view that provides the following zones:

view "_bind" chaos {
        recursion no;
        notify no;
        allow-new-zones no;

        # Prevent use of this zone in DNS amplified reflection DoS attacks
        rate-limit {
                responses-per-second 3;
                slip 0;
                min-table-size 10;
        };

        zone "version.bind" chaos {
                type master;
                database "_builtin version";
        };

        zone "hostname.bind" chaos {
                type master;
                database "_builtin hostname";
        };

        zone "authors.bind" chaos {
                type master;
                database "_builtin authors";
        };

        zone "id.server" chaos {
                type master;
                database "_builtin id";
        };
};

Some of the configuration can be overridden without needing to configure the zone manually by using these named.conf options :

version ( <quoted_string> | none );
server-id ( <quoted_string> | none | hostname );
hostname ( <quoted_string> | none );

Ordinarily, queries to this view are not restricted.

Adding the following view statement will intercept lookups as the internal view that holds the version information will be matched last.

Note that doing this will not prevent attacks and may impede people trying to diagnose problems with your server. Also, it is often possible to "fingerprint" nameservers to determine their version from the way they respond to specific queries.

view "chaos" chaos {
     match-clients { <those to be refused>; };
     allow-query { none; };
     zone "." {
             type hint;
             file "/dev/null";  // or any empty file
     };
};