How do I restrict only remote users from looking up the server version?
- 25 May 2021
- 1 Minute to read
-
Contributors
-
Print
-
DarkLight
-
PDF
How do I restrict only remote users from looking up the server version?
- Updated on 25 May 2021
- 1 Minute to read
-
Contributors
-
Print
-
DarkLight
-
PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
BIND has a built-in _bind view that provides the following zones:
view "_bind" chaos {
recursion no;
notify no;
allow-new-zones no;
# Prevent use of this zone in DNS amplified reflection DoS attacks
rate-limit {
responses-per-second 3;
slip 0;
min-table-size 10;
};
zone "version.bind" chaos {
type primary;
database "_builtin version";
};
zone "hostname.bind" chaos {
type primary;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type primary;
database "_builtin authors";
};
zone "id.server" chaos {
type primary;
database "_builtin id";
};
};
Some of the configuration can be overridden without needing to configure the zone manually by using these named.conf options :
version ( <quoted_string> | none );
server-id ( <quoted_string> | none | hostname );
hostname ( <quoted_string> | none );
Ordinarily, queries to this view are not restricted.
Adding the following view statement will intercept lookups as the internal view that holds the version information will be matched last.
Note that doing this will not prevent attacks and may impede people trying to diagnose problems with your server. Also, it is often possible to "fingerprint" nameservers to determine their version from the way they respond to specific queries.
view "chaos" chaos {
match-clients { <those to be refused>; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; // or any empty file
};
};