How to prevent bind from divulging its version

Simon Waters Simon at wretched.demon.co.uk
Fri Jun 29 22:02:59 UTC 2001 

Paul Jacobs wrote:
> 
> Ok... then what Version of bind am I running....?

I relish a challenge... but I haven't done the research
yet....

Unlike Mark I'm a passionate advocate on not leaking
unneeded data so I think hiding version numbers is a good
idea.....


Hmm well limbo returns 8.2.3-REL so that one is easy.
As does ardent... So that is 40% of your servers.

You provide recursive lookup for other zones (and answer
queries using TCP<good thats in the RFC!>, and other clues)
so your probably not running a DJB based name server...
Smells like BIND, okay you said it was BIND, but you might
have lied *8)

You might want to fix the recursive look-up as if there is a
poisoning bug still lurking, then again people might be
using it to recurse for all I know.

The answers to Chaos Zones are inconclusive, but you don't
answer authors.bind which hints against early versions of 9.
A port scan might also show control sockets for rndc, but my
ISP is suitably fussy about unauthorised port scans.

You've got protection against zone transfers. Which hints at
4.9+.

You read the list so we can assume you aren't running pre
8.2.3-REL *8-)

You set AA flag when answering NXDOMAIN (I think that
confirms version 8 - Come on Mark help me on that one).

So I'm guessing recent 8.2 == 8.2.3/8.2.4

I don't see any immediate ways of fingerprinting it further.

Perhaps Mark has an ideas based on say bug 1187?

Also TSIG bug logging might delay responses whilst requests
are written to disk - but that would depend on OS and syslog
settings (and be rather blatant if you are running 8.2.4 or
later). But I wouldn't run that without asking.

Also since you do offer recursive queries if I was running a
"test" name server locally I could get your server to issue
queries against my server, allowing me to see if you use
source-port and further inspecting the behaviour of your
server, such as handling on new record types, and illegal
names.

	How'd I do for a first attempt at BIND finger printing?

	Simon

PS: If technology fails take the social engineering
approach.... Search of comp.protocol.bind recent postings
includes a slightly cynical comment about reasons to upgrade
to 9 so presumably you don't run 9. You also asked about
8.2.3-REL on Linux 2.4, but I haven't tried to OS
fingerprint the nameservers to see if they are running Linux
2.4. On which basis 8.2.3-REL looks the most promising, and
is a good statistical bet as well *8). I didn't try the
archive, but it might yield further clues, such as DIG
inserting it's version string into the comments section - of
course this is circumstantial as your probably on another
server when using dig.

-- 
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at
news:uk.business.telework

More information about the bind-users mailing list