Skip to content

How to hide BIND version

I like hiding the version of the servers I use: even though security via obscurity isn’t a proper solution, at worse it just won’t help. Hiding the BIND version was actually suggested to me by a DNS-testing service, DNSLookup. It’s quite a trivial setting. Find the relevant BIND config file (in Debian 6, it’s /etc/bind/named.conf.options, in other distros it might be just /etc/bind/named.conf or even /etc/named.conf), and within the options brackets, add at the end:
version "BIND";

For instance, here’s my current config file:

options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// };

	auth-nxdomain no;    # conform to RFC1035
	listen-on { any; };
	listen-on-v6 { any; };
	//listen-on-v6 { ::1; };
	//listen-on {; };
	//allow-recursion {; };
	version "BIND";

Well, that’s about it. Don’t forget to apply the changes (apply changes via Webmin or use a command such as /etc/init.d/bind9 reload)

Posted in Linux, servers, software.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA