Blocking version information

James Philpott jamesp at
Sat Jun 18 17:51:20 UTC 2005

Pete Ehlke wrote:
> On Fri Jun 17, 2005 at 16:51:04 -0700, James Philpott wrote:
>>There should be no problems associated with hiding the version 
>>information on your DNS server in BIND 9 or BIND 8 by the use of the 
>>global options statement "version". Version is a widely obfuscated by 
>>the use of the this option when an administrator does not want the world 
>>or their internal users to be able to see the version of BIND is being 
> Changing the string reported via the version statement- or changing it
> in the source- does little to nothing to keep world+dog from discovering
> what name server you are running. People do this, thinking they are
> 'hiding' their version. They are wrong.
> -Pete
Pete is absolutely correct, there are many ways to discover what version 
of DNS you are running. I think Pete is pointing out that it is not good 
security to rely on this as a form of security.

I still would not purposefully publish my BIND version so a casual user 
can grok it at will. I choose to obfuscate it where I can.

And I'm using the verb "to obfuscate" in the following sense - "2.  To 
render indistinct or dim; darken: The fog obfuscated the shore."

Better than publish a potential (very slight potential) vulnerabilities 
I choose to "obfuscate" them as much as I can.

- James Philpott

More information about the bind-users mailing list