How To Hide BIND DNS Sever Version

Posted on in Categories , , , , , , , , last updated July 2, 2008

Q. How do I hide my dns server version number from command such as:
dig @ns1.example.com -c CH -t txt version.bind

How do I hide version under BIND9 Linux / UNIX systems?

A. This is nothing but security through obscurity. You can hide version but one can always fingerprint your name server to find out exact version details using fpdns tool.

Open your named.conf file, find out options { … }; section,

options
{
        query-source    port 53;
        query-source-v6 port 53;
        listen-on { 174.ttt.xx.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { 174.zzz.yy.zz; 172.xx.yy.zz; };
        version "BIND";
};

To hide your bind version:
version "YOUR Message";
OR
version "use fpdns to get version number ;)";
Save and close the file. Restart named, enter:
# service bind9 restart
OR
# service named restart

How do I see bind version?

Use dig command, enter
$ dig @ns1.softlayer.com -c CH -t txt version.bind
As usual, you can use fpdns to find out version number.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

5 comment

  1. Yeah did this awhile ago at work :-)

    $ host -c CH -t txt version.bind ns1.ewtllc.com
    Using domain server:
    Name: ns1.ewtllc.com
    Address: 66.151.59.101#53
    Aliases:

    version.bind descriptive text “Jeff’s Super mega xbox edition”

    $ host -c CH -t txt version.bind ns2.ewtllc.com
    Using domain server:
    Name: ns2.ewtllc.com
    Address: 66.151.59.102#53
    Aliases:

    version.bind descriptive text “Jeff’s Super mega xbox edition”

  2. So if you put the statement in place: version “BIND”; .

    It will show ‘BIND’, however one can run the fpdns command to view the exact version. However, if you keep up on security updates and patches would there be a risk of not using this?
    Excellent site!

  3. I van not hide my version I tried with so many different ways in the /etc/named.conf
    Nothing seems to work at all.
    There is some csf firewall port security in this file.
    I am confused how do I hide the version number.

  4. Hey Vinny

    under options just put in

    version “my name is vinny”;

    save named.conf

    and then restart named

    Easy :)

    If there is no options put:

    options
    {
    version “my name is vinny”;
    };

Leave a Comment