I like hiding the version of the servers I use: even though security via obscurity isn’t a proper solution, at worse it just won’t help. Hiding the BIND version was actually suggested to me by a DNS-testing service, DNSLookup. It’s quite a trivial setting. Find the relevant BIND config file (in Debian 6, it’s /etc/bind/named.conf.options, in other distros it might be just /etc/bind/named.conf or even /etc/named.conf), and within the options brackets, add at the end:
version "BIND";
For instance, here’s my current config file:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on { any; };
listen-on-v6 { any; };
//listen-on-v6 { ::1; };
//listen-on { 127.0.0.1; };
//allow-recursion { 127.0.0.1; };
version "BIND";
};
Well, that’s about it. Don’t forget to apply the changes (apply changes via Webmin or use a command such as /etc/init.d/bind9 reload)
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.