"Hiding" version.bind in /etc/bind/named.conf.options doesn't work

Bob McDonald bmcdonaldjr at gmail.com
Sat Mar 3 20:12:15 UTC 2018


Personally, I leave the version statement alone. I like having my
"internal" servers return the current running version when queried. I
disable chaos queries on my internet facing servers via views thus
effectively not answering any queries for the version or hostname  from
folks I don't know. I agree that today's attackers really don't care, they
just try to exploit everything known.

The other thing I do is code server-id=hostname; on my "internal" servers
and server-id=<something meaningful>; on my internet facing servers. This
returns the actual hostname for "internal" servers when queried for the
chaos hostname.bind or id.server or  when repomding to a +nsid request. It
will not return an answer for chaos queries on the internet facing servers
(because of the previously mentioned view restriction) while the response
to a +nsid request will be a meaningful name. This is especially handy on
the "inside" for HA clusters and anycast cloud member servers as it returns
the actual server name the response came from. For internet facing queries
it will simply return the meaningful name you specified when responding to
a +nsid request. Depending on the name chosen, this can be useful for
troubleshooting. Choose wisely.

YMMV,

Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180303/626427f9/attachment.html>


More information about the bind-users mailing list