How To Hide BIND DNS Sever Version

by on July 2, 2008 · 4 comments· LAST UPDATED July 2, 2008

in , ,

Q. How do I hide my dns server version number from command such as:
dig @ns1.example.com -c CH -t txt version.bind

How do I hide version under BIND9 Linux / UNIX systems?

A. This is nothing but security through obscurity. You can hide version but one can always fingerprint your name server to find out exact version details using fpdns tool.

Open your named.conf file, find out options { ... }; section,

options
{
        query-source    port 53;
        query-source-v6 port 53;
        listen-on { 174.ttt.xx.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { 174.zzz.yy.zz; 172.xx.yy.zz; };
        version "BIND";
};

To hide your bind version:
version "YOUR Message";
OR
version "use fpdns to get version number ;)";
Save and close the file. Restart named, enter:
# service bind9 restart
OR
# service named restart

How do I see bind version?

Use dig command, enter
$ dig @ns1.softlayer.com -c CH -t txt version.bind
As usual, you can use fpdns to find out version number.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 Jeff Schroeder July 3, 2008 at 2:07 am

Yeah did this awhile ago at work :-)

$ host -c CH -t txt version.bind ns1.ewtllc.com
Using domain server:
Name: ns1.ewtllc.com
Address: 66.151.59.101#53
Aliases:

version.bind descriptive text “Jeff’s Super mega xbox edition”

$ host -c CH -t txt version.bind ns2.ewtllc.com
Using domain server:
Name: ns2.ewtllc.com
Address: 66.151.59.102#53
Aliases:

version.bind descriptive text “Jeff’s Super mega xbox edition”

Reply

2 Jeff August 30, 2008 at 7:14 pm

You know having a 2nd NS isn’t doing much for you since they are on the same network segment. If DNS is so important for your company, you should get it offnet.

Reply

3 AG September 28, 2012 at 8:47 pm

So if you put the statement in place: version “BIND”; .

It will show ‘BIND’, however one can run the fpdns command to view the exact version. However, if you keep up on security updates and patches would there be a risk of not using this?
Excellent site!

Reply

4 Vinny December 31, 2013 at 7:51 pm

I van not hide my version I tried with so many different ways in the /etc/named.conf
Nothing seems to work at all.
There is some csf firewall port security in this file.
I am confused how do I hide the version number.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous Faq:

Next Faq: