BIND servers can be remotely queried for their version

Peter Radcliffe 26$10$f3i99le at pir.net
Fri Mar 31 17:38:24 UTC 2000


Thor Kottelin  <thor at anta.net> probably said:
>From: wen <wen at hisense.qd.sd.cn>
>> BIND servers can be remotely queried for their version.this feature
>> could be used by attackers to remotely probe machines for vulnerable
>> versions of BIND to be exploited in later attacks.
>> now my BIND version is 8.2. how to cancel this fault?
>
>IIRC, you can use
>options {
>	version "";
>};

If you want to allow it locally to check versions (I run quite a few
nameservers) but disallow remotely you can use;

zone "bind" chaos {
  allow-query {
    localhost;
  };
  type master;
  file "bind";
};

and put in the file "bind";

$ORIGIN bind.
$TTL 1W

@       1D CHAOS SOA    localhost. root.localhost. (
                        1               ; serial
                        3H              ; refresh
                        1H              ; retry
                        1W              ; expiry
                        1D )            ; minimum
        CHAOS NS        localhost.

-- 
pir                  pir at pir.net                    pir at net.tufts.edu




More information about the bind-users mailing list