ISS scanner and BIND 9 (AUTHORS.BIND)

Dan Stetser dan.stetser at
Sat Feb 11 00:50:28 UTC 2006

options {
       version "";

It's cleared some ISS false pos reports for us.....


On 2/7/06, Bischof, Ralph <Ralph.Bischof at> wrote:
> Hello,
>         I have a 9.3.1 build of BIND running on a Red Hat Enterprise
> Linux ES4 system. I *must* use the ISS scanner ( to
> discover and mitigate any vulnerabilities on the system before I can
> connect it to the network. When I ran a scan of my box, I found the
> below Medium vulnerability that I need to do something about.
> Vulnerability Details:
> M BindHostnameDisclosure: BIND hostname disclosure
> BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
> Unix systems. BIND versions 9.0 and later could allow
> a remote attacker to obtain sensitive information. By sending
> specially-crafted DNS query for the record AUTHORS.BIND a remote
> attacker may learn the BIND software version and the hostname of the DNS
> server. This information could be helpful in launching
> further attacks.
> Remedy:
> No remedy available as of January 2005.
>         I know I use the "version" named.conf statement with BIND8 to
> hide the version. Would it also help to put this statement in with my
> BIND9 build? Something like...
> options {
>         version "unknown";
> };
>         I appreciate any help! If it's not possible to mitigate this
> through the configuration, I am thinking that I can make a definitive
> argument that I *already* advertise the hostname of the server to the
> Internet public, therefore it's a non-issue.
> Thank you,
> --
> Ralph F. Bischof, Jr.
> Any opinion within this communication is not necessarily that of NASA.
> PGP Key -

More information about the bind-users mailing list