ISS scanner and BIND 9 (AUTHORS.BIND)
Ralph.Bischof at nasa.gov
Tue Feb 7 14:36:03 UTC 2006
I have a 9.3.1 build of BIND running on a Red Hat Enterprise
Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/) to
discover and mitigate any vulnerabilities on the system before I can
connect it to the network. When I ran a scan of my box, I found the
below Medium vulnerability that I need to do something about.
M BindHostnameDisclosure: BIND hostname disclosure
BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
Unix systems. BIND versions 9.0 and later could allow
a remote attacker to obtain sensitive information. By sending
specially-crafted DNS query for the record AUTHORS.BIND a remote
attacker may learn the BIND software version and the hostname of the DNS
server. This information could be helpful in launching
No remedy available as of January 2005.
I know I use the "version" named.conf statement with BIND8 to
hide the version. Would it also help to put this statement in with my
BIND9 build? Something like...
I appreciate any help! If it's not possible to mitigate this
through the configuration, I am thinking that I can make a definitive
argument that I *already* advertise the hostname of the server to the
Internet public, therefore it's a non-issue.
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key - http://pgpkeys.hq.nasa.gov
More information about the bind-users