Contents x
How do I restrict people from looking up the server version?
  • 25 May 2021
  • 1 Minute to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Contents

How do I restrict people from looking up the server version?

  • Updated on 25 May 2021
  • 1 Minute to read
  • Contributors
  • Print
  • Dark
    Light
  • PDF
Article Summary

By default, BIND servers will answer a query in the chaos domain for a text record named "version.bind" (for example, dig @127.0.0.1 ch txt version.bind) with a string containing information about the server.

By default, named answers this query with the software version number of the server. However, the answer is customizable by the operator: if you wish to specify a different answer, put a version option containing something other than the real version in the "options" section of named.conf, e.g. version "none of your business"; or version none; (where "none" is a special value which prevents the server from answering at all).

Note: many operators choose to do this, feeling that providing unnecessary information to attackers can only be harmful. However, this does not prevent attacks and may impede external diagnosis of problems with your server. Also, it is often possible to "fingerprint" name servers to determine their version from the way they respond to specific queries, so suppressing the actual version string may not prevent an attacker from deducing your version from other clues.

It is also possible to deny or rate-limit access to version.bind and other built-in chaos records by re-defining the built-in chaos zones version.bind, hostname.bind, authors.bind, and id.server in a new chaos view:

    view "override_bind" chaos { 

       # Prevent use of this zone in DNS amplified reflection DoS attacks
       rate-limit {
            responses-per-second 3;
            slip 0;
            min-table-size 10;
       };
       
       zone "version.bind" chaos {
            type primary;
            database "_builtin version";
       };

       zone "hostname.bind" chaos {
            type primary;
            database "_builtin hostname";
       };

       zone "authors.bind" chaos {
            type primary;
            database "_builtin authors";
       };

       zone "id.server" chaos {
            type primary;
            database "_builtin id";
       };
    };

The full configuration of the built-in "_bind" view can be seen in bin/named/config.c.

What's Next

Cookie consent

We use our own and third-party cookies to understand how you interact with our Knowledgebase. This helps us show you more relevant content and ads based on your browsing and navigation history.