allow-query does not seem to restrict access to version.bind in 9.2.1

Mon Jun 24 02:59:31 UTC 2002

In article <af5qsb$e9n3$1 at isrv4.isc.org>, Jim Reid wrote:
> "Jesper" == Jesper Dybdal <jdunet at u7.dybdal.dk> writes:

>> If I wanted specifically to hide the version number, which
>> I don't, then allow-query would be my preferred way of
>> doing it, since it would allow myself to easily check that
>> I'm running the version I expect.

> It still doesn't stop others finding out what version of BIND you're
> running. Unless of course you prevent any remote access to your name
> server: including handing out answers for the zones it serves. But
> that would be somewhat pointless.

>> I know that perfectly well.  But is that a reason for the
>> allow-query clause to not work in the expected way?
> 
> Who knows? Since you didn't provide the relevant parts of the actual
> config file that your name server is using, who can tell? In
> particular the ACL you showed -- which could be the core of your
> problem -- is not the one that your name server is actually applying.
> "Dear mailing list, I think I have a problem with an ACL but I'm not
> going to show it to you. Here's what it might look like. Please tell
> me what could be wrong with it."

i notice the same behavior (i don't really care if anyone queries my
version string, but i do agree that it's not the behavior *i'd* expect).

acl internal { 127.0.0.0/8; 64.174.220.40/29; };

options {
        directory "/etc/namedb";
        listen-on { 127.0.0.1; 64.174.220.42; };
        dump-file "s/named_dump.db";
        pid-file "s/named.pid";
        allow-query { internal; };
};

note the status: in both.....

jazz% dig @aura.infinitejazz.net version.bind ch txt

; <<>> DiG 9.3.0s20020328 <<>> @aura.infinitejazz.net version.bind ch
txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39649
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.3.0s20020328"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 30 msec
;; SERVER: 64.174.220.42#53(aura.infinitejazz.net)
;; WHEN: Sun Jun 23 19:57:52 2002
;; MSG SIZE  rcvd: 71

jazz% dig @aura.infinitejazz.net dreamhost.com      

; <<>> DiG 9.3.0s20020328 <<>> @aura.infinitejazz.net dreamhost.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22539
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dreamhost.com.                 IN      A

;; Query time: 39 msec
;; SERVER: 64.174.220.42#53(aura.infinitejazz.net)
;; WHEN: Sun Jun 23 19:58:12 2002
;; MSG SIZE  rcvd: 31

-- 
No copies, please.
To reply privately, simply reply; don't remove anything.