version.bind/TXT

Joseph S D Yao jsdy at cospo.osis.gov
Tue May 1 20:46:08 UTC 2001 

On Tue, May 01, 2001 at 08:25:12PM -0000, syn uw wrote:
> 
> Hello,
> 
> Well I would like to thank you all for replying me so fast. I didn't knew at 
> all about this "feature" of BIND to return it's version number. Well I was 
> quite happy trying the following command on my OpenBSD 2.8 server:
> 
> dig chaos txt version.bind
> 
> and getting the following output:
> 
> ; <<>> DiG 2.2 <<>> chaos txt version.bind
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55055
> ;; flags: qr rd; Ques: 1, Ans: 0, Auth: 0, Addit: 0
> ;; QUESTIONS:
> ;;      version.bind, type = TXT, class = CHAOS
> 
> ;; Total query time: 23 msec
> ;; FROM: kyrandia to SERVER: default -- 192.168.133.51
> ;; WHEN: Tue May  1 22:15:37 2001
> ;; MSG SIZE  sent: 30  rcvd: 30
> 
> to see that this my name server doesn't return it's version number, so this 
> is disable by default with BIND on OpenBSD. A good thing to know. Anyway how 
> can I explicitly disable this, can someone tell me the parameter that i need 
> to put in my named.boot/named.conf ?

Surprising.  Then again, the BSD's do go the extra mile on security.

This is already disabled in your named.conf.  [Throw away named.boot,
you should never run BIND 4.]

In the options{} statement, use the keyword "version":

options {
	...
	version "Surely you must be joking";
	...
};

or

options {
	...
	version "";
};

Note that neither of these actually DISABLES the feature, only
REDEFINES it.

I suppose you could define a CHAOS zone "bind" and not place a TXT
string "version" inside it.  I haven't tried it to see what would
happen.

> Btw: What is this class=chaos ?? Is that a sort of backdoor in bind, I never 
> saw this documented anywhere. And is that in all BIND versions ?

CHAOSnet [class CHAOS] has always been just another class of network,
like Internet [class IN].  But most people don't use it, so at some
point somebody stuck this little hack in.

-- 
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
OSIS/COSPO Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

More information about the bind-users mailing list