≡ Menu

How To Hide BIND DNS Sever Version

Q. How do I hide my dns server version number from command such as:
dig @ns1.example.com -c CH -t txt version.bind

How do I hide version under BIND9 Linux / UNIX systems?

A. This is nothing but security through obscurity. You can hide version but one can always fingerprint your name server to find out exact version details using fpdns tool.

Open your named.conf file, find out options { ... }; section,

options
{
        query-source    port 53;
        query-source-v6 port 53;
        listen-on { 174.ttt.xx.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { 174.zzz.yy.zz; 172.xx.yy.zz; };
        version "BIND";
};

To hide your bind version:
version "YOUR Message";
OR
version "use fpdns to get version number ;)";
Save and close the file. Restart named, enter:
# service bind9 restart
OR
# service named restart

How do I see bind version?

Use dig command, enter
$ dig @ns1.softlayer.com -c CH -t txt version.bind
As usual, you can use fpdns to find out version number.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 5 comments… add one }

  • Jeff Schroeder July 3, 2008, 2:07 am

    Yeah did this awhile ago at work :-)

    $ host -c CH -t txt version.bind ns1.ewtllc.com
    Using domain server:
    Name: ns1.ewtllc.com
    Address: 66.151.59.101#53
    Aliases:

    version.bind descriptive text “Jeff’s Super mega xbox edition”

    $ host -c CH -t txt version.bind ns2.ewtllc.com
    Using domain server:
    Name: ns2.ewtllc.com
    Address: 66.151.59.102#53
    Aliases:

    version.bind descriptive text “Jeff’s Super mega xbox edition”

  • Jeff August 30, 2008, 7:14 pm

    You know having a 2nd NS isn’t doing much for you since they are on the same network segment. If DNS is so important for your company, you should get it offnet.

  • AG September 28, 2012, 8:47 pm

    So if you put the statement in place: version “BIND”; .

    It will show ‘BIND’, however one can run the fpdns command to view the exact version. However, if you keep up on security updates and patches would there be a risk of not using this?
    Excellent site!

  • Vinny December 31, 2013, 7:51 pm

    I van not hide my version I tried with so many different ways in the /etc/named.conf
    Nothing seems to work at all.
    There is some csf firewall port security in this file.
    I am confused how do I hide the version number.

  • James May 29, 2014, 11:48 am

    Hey Vinny

    under options just put in

    version “my name is vinny”;

    save named.conf

    and then restart named

    Easy :)

    If there is no options put:

    options
    {
    version “my name is vinny”;
    };

Leave a Comment