allow-query does not seem to restrict access to version.bind in 9.2.1

Will Yardley &- at
Mon Jun 24 02:59:31 UTC 2002

In article <af5qsb$e9n3$1 at>, Jim Reid wrote:
> "Jesper" == Jesper Dybdal <jdunet at> writes:

>> If I wanted specifically to hide the version number, which
>> I don't, then allow-query would be my preferred way of
>> doing it, since it would allow myself to easily check that
>> I'm running the version I expect.
> It still doesn't stop others finding out what version of BIND you're
> running. Unless of course you prevent any remote access to your name
> server: including handing out answers for the zones it serves. But
> that would be somewhat pointless.
>> I know that perfectly well.  But is that a reason for the
>> allow-query clause to not work in the expected way?
> Who knows? Since you didn't provide the relevant parts of the actual
> config file that your name server is using, who can tell? In
> particular the ACL you showed -- which could be the core of your
> problem -- is not the one that your name server is actually applying.
> "Dear mailing list, I think I have a problem with an ACL but I'm not
> going to show it to you. Here's what it might look like. Please tell
> me what could be wrong with it."

i notice the same behavior (i don't really care if anyone queries my
version string, but i do agree that it's not the behavior *i'd* expect).

acl internal {;; };

options {
        directory "/etc/namedb";
        listen-on {;; };
        dump-file "s/named_dump.db";
        pid-file "s/";
        allow-query { internal; };

note the status: in both.....

jazz% dig version.bind ch txt

; <<>> DiG 9.3.0s20020328 <<>> version.bind ch
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39649
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;version.bind.                  CH      TXT

version.bind.           0       CH      TXT     "9.3.0s20020328"

version.bind.           0       CH      NS      version.bind.

;; Query time: 30 msec
;; WHEN: Sun Jun 23 19:57:52 2002
;; MSG SIZE  rcvd: 71

jazz% dig      

; <<>> DiG 9.3.0s20020328 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22539
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;                 IN      A

;; Query time: 39 msec
;; WHEN: Sun Jun 23 19:58:12 2002
;; MSG SIZE  rcvd: 31

No copies, please.
To reply privately, simply reply; don't remove anything.

More information about the bind-users mailing list