not revealing version number at all

Simon Waters Simon at wretched.demon.co.uk
Wed Jul 18 23:05:04 UTC 2001


Kevin Darcy wrote:
> 
> That's not quite the same thing -- it returns the string "REFUSED" as the answer to the question.
> 
> I think what the original poster wanted was for the query itself to be REFUSED, i.e. RCODE=REFUSED, no
> answer. For that, one would need to define the appropriate zone in the CHAOS class, and then restrict
> queries to the zone via allow-query.

Yes - and some servers return "Not Implemented", but I
haven't had a chance to update my DNS fingerprinting notes
with what they are.

So I'm guessing most boxes returning "refused" are running
BIND, ala Cricket's reply.

Like TCP/IP OS fingerprinting, we need to agree what is the
right "generic" response that will reveal least information.

Based on my surveys, most servers answer the query "dig
@server version.bind chaos txt", so not answering marks you
out as interesting, so it is probably better to answer with
a string, than not answer.

The most common uninformative return is a blank string -
although blank strings vary in their structure *8-).
Personally I've proposed that telephone number be inserted,
so if it is genuine troubleshooting the person can call
someone.

NB: Some versions of 9 don't behave as expected with
'version ""'.
NB: BIND 9.[01] answers "authors.bind", BIND 9.2 doesn't
answer this if a "version" option is specified.

-- 
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at
news:uk.business.telework


More information about the bind-users mailing list