Blocking version information

Peter Dambier peter at
Fri Jun 17 20:07:30 UTC 2005

Hash: SHA1

Pax Dickinson wrote:
| Hi all,
| I'm working on a script to update BIND 8 named.conf files to BIND 9, and
| I'm wondering if using a
| version "None of your business.";

This is done often.

| option in our named.conf would violate any DNS RFCs?  A quick skim makes
| it appear to me that it wouldn't, but I need to be sure.

It does not directly break anything.

Indirectly it breaks debugging. As long as nobody complains about your servers
in his lame-server-log I dont see a problem.

If I was running a public DNS-resolver as ISPs do and if I was annoyed with
your servers appearing in my log, then I would use dig to debug.

Seeing your version I might be tempted to add a zone file to my resolver:    SOA ...    NS    A
*  A

It would definitly solve my problem.

I am analysing log files on nameservers. I did not see any problems with DNS.
But I did see problems with other services and I did solve them.

What does your server do? Publish DNS information about your company to the
outside or resolve and cache for the inside?

If it is a resolver for the inside then dont worry you will not harm anybody
keeping your bind version a secret.

If it delivers information to the outside I would not hide this information
nor would I disable axfr queries.

If it does both then you do have a security problem. Get another server for
the inside. Hide it behind a firewall. Hide its version if you like. Let
nobody see it from the outside.

Dont let your nameserver for the outside cache any information. Then you
should be ok.

| Thanks,
| Pax Dickinson

Peter and Karin Dambier

- --
Peter and Karin Dambier
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-6252-599091 (O2 Genion)
+1-360-226-6583-9738 (INAIC)
mail: peter at
Version: GnuPG v1.0.7 (GNU/Linux)


More information about the bind-users mailing list