The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries. I agree with the BIND people that there
isn't much point in hiding that information.
FAQ>Q: How do I restrict people from looking up the server version?
FAQ>
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf. Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server. Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>version?
FAQ>
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last. The
FAQ>caveats of the previous answer still apply, of course.
FAQ>
FAQ> view "chaos" chaos {
FAQ> match-clients { <those to be refused>; };
FAQ> allow-query { none; };
FAQ> zone "." {
FAQ> type hint;
FAQ> file "/dev/null"; // or any empty file
FAQ> };
FAQ> };
On Tue, Jan 30, 2001 at 07:14:20PM -0600, [EMAIL PROTECTED] wrote:
> Date: Tue, 30 Jan 2001 19:14:20 -0600
> From: [EMAIL PROTECTED]
> Subject: Re: fingerprinting BIND 9.1.0
> To: [EMAIL PROTECTED]
>
> In message <[EMAIL PROTECTED]>
> Max Vision writes:
>
> > The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> > chaos record called "authors".
>
> [ snip ]
>
> > % dig @ns.example.com authors.bind chaos txt
>
> I've been playing some with BIND 9.1.0, and have found that queries
> like this can be suppressed using the new "view" capability. I now
> have in my named.conf, the following:
>
> view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
> zone "." {
> type hint ;
> file "/dev/null";
> };
> };
>
> and a similar entry for hesiod records. Queries then against either
> chaos or hesiod records will come back as "servfail".
>
> Alternatively, creating your own "bind." domain with CH, rather than
> IN, records for SOA and TXT data will override hardcoded values. I've
> also got a "bind." domain that has this record:
>
> version.bind. 0 ch txt "Who knows"
>
> so that if I don't use a "view" to block chaos records, then at least
> I give out only information that I want to give out.
>
> --
> Randall Raemon
> shikahr.com.inter.net, email to rlr
--
William Colburn, "Sysprog" <[EMAIL PROTECTED]>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
