Hiding Your BIND Version

As described in Chapter 5, "Using Dig and nslookup," you can use a command such as

$ dig CHAOS version.bind TXT
					

to determine the version of your BIND. This can be considered a security risk. And indeed, it makes determining your BIND version easier, which might be a risk when a new security problem in BIND gets published. In named.conf enter the following:

options {
    …
    version "Wouldn't you like to know?";
    …
};

Of course, such an answer might inflame the temper of any attacker rather than stop the attack, so you might want to choose other language, or set it to blank. It has been argued that if the version string returned shows that you're using the latest, no-known-weaknesses BIND, the attacker will go on to the ...

Get Concise Guide to DNS and BIND, The now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.