BIND9, ISS and AUTHORS.BIND
Ralph.Bischof at nasa.gov
Tue Feb 7 15:25:31 UTC 2006
I have a 9.3.1 build of BIND running on a Red Hat Enterprise
Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/) to
discover and mitigate any vulnerabilities on the system before I can
connect it to the network. When I ran a scan of my box, I found the
below Medium vulnerability that I need to do something about.
M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
Internet Name Daemon) is the Domain Name Service for Unix systems. BIND
versions 9.0 and later could allow a remote attacker to obtain sensitive
information. By sending specially-crafted DNS query for the record
AUTHORS.BIND a remote attacker may learn the BIND software version and
the hostname of the DNS server. This information could be helpful in
launching further attacks.
No remedy available as of January 2005.
I know I use the "version" named.conf statement with BIND8 to
hide the version. Would it also help to put this statement in with my
BIND9 build? Something like...
I appreciate any help! If it's not possible to mitigate this
through the configuration, I am thinking that I can make a definitive
argument that I *already* advertise the hostname of the server to the
Internet public, therefore it's a non-issue.
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key - http://pgpkeys.hq.nasa.gov
More information about the bind-users