How do I disable the bind version.bind option under UNIX or Linux operating systems to improve my name server security?
There is currently no way to completely disable “version.bind” option. You can try to hide version using version.bind but most security scanner and fingerprinting software will detect your bind software version without any problem. This option is often known as security through obscurity. Just edit your named.conf and set it as follows:
### security through obscurity ###
version.bind = "Go away.";
Save and close the file. Reload / restart the named server:
# service named restart
How Do I Find Out Version Information?
Type the following command under Mac OS X or Linux or UNIX based computer:
$ host -c CH -t txt version.bind ns1.dnsknowledge.com
Using domain server: Name: ns1.dnsknowledge.com Address: 203.xx.ttt.zz#53 Aliases: version.bind descriptive text "Go away."
The fpdns can determine DNS server version for domain dnsknowledge.com using fingerprinting technique as follows:
$ fpdns -D dnsknowledge.com
fingerprint (dnsknowledge.com, 22.214.171.124): ISC BIND 9.2.3rc1 -- 9.6.1-P1 fingerprint (dnsknowledge.com, 126.96.36.199): ISC BIND 9.2.3rc1 -- 9.6.1-P1
Our Recommendations To Keep Bind Server Secure
A better option is to run your bind server in chrooted jail and apply all security patches to both named and operating system immediately.