Bischof, Ralph Ralph.Bischof at
Tue Feb 7 15:25:31 UTC 2006


	I have a 9.3.1 build of BIND running on a Red Hat Enterprise
Linux ES4 system. I *must* use the ISS scanner ( to
discover and mitigate any vulnerabilities on the system before I can
connect it to the network. When I ran a scan of my box, I found the
below Medium vulnerability that I need to do something about.

Vulnerability Details:
M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
Internet Name Daemon) is the Domain Name Service for Unix systems. BIND
versions 9.0 and later could allow a remote attacker to obtain sensitive
information. By sending specially-crafted DNS query for the record
AUTHORS.BIND a remote attacker may learn the BIND software version and
the hostname of the DNS server. This information could be helpful in
launching further attacks.
No remedy available as of January 2005.

	I know I use the "version" named.conf statement with BIND8 to
hide the version. Would it also help to put this statement in with my
BIND9 build? Something like...

options {
	version "unknown";

	I appreciate any help! If it's not possible to mitigate this
through the configuration, I am thinking that I can make a definitive
argument that I *already* advertise the hostname of the server to the
Internet public, therefore it's a non-issue.

Thank you,
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key -

More information about the bind-users mailing list