BIND, the venerable DNS server, broadcasts its version number by default, a tiny detail that can offer attackers a free reconnaissance pass.
Let’s see BIND in action, specifically how it reveals its version.
dig @localhost chaos version.bind
; <<>> DiG 9.16.1-Ubuntu <<>> @localhost chaos version.bind
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54321
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. IN TXT
;; ANSWER SECTION:
version.bind. 600 IN TXT "9.16.1-Ubuntu"
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 14 10:00:00 UTC 2023
;; MSG SIZE rcvd: 58
See that TXT "9.16.1-Ubuntu" in the answer section? That’s the version number. An attacker scanning your network might see this and immediately know what version of BIND you’re running. If that version has a known vulnerability, they’ve just skipped a crucial step in their attack chain. They don’t need to guess or probe further; they know your potential weaknesses.
The problem this solves is information leakage. By default, BIND is chatty about its internal details, and this information can be weaponized. Hiding the version number doesn’t make BIND inherently more secure, but it raises the bar for attackers, forcing them to spend more time and effort identifying potential exploits. It’s a classic security practice: reduce your attack surface by not advertising what you are.
The version.bind query is part of the DNS protocol’s "Chaos class," a set of experimental and informational record types. BIND implements this class to provide various details about its operation, including its version. The version.bind query specifically asks for a TXT record containing the server’s version string.
To hide the BIND version number, you need to configure BIND to respond with a modified or empty version string for the version.bind query. This is achieved by adding a specific version option to your named.conf file.
Here’s how you do it. First, locate your BIND configuration file. On most Linux systems, this will be /etc/bind/named.conf or a file included by it, like /etc/bind/named.conf.options.
Inside the options block of your named.conf file, add or modify the version directive.
Option 1: Set a generic version string
options {
directory "/var/cache/bind";
// ... other options ...
version "not configured"; // Or any other string you prefer
};
After saving the named.conf file, you need to reload or restart the BIND service for the changes to take effect. The command to do this varies slightly depending on your Linux distribution:
On Debian/Ubuntu:
sudo systemctl reload bind9
or
sudo systemctl restart bind9
On CentOS/RHEL/Fedora:
sudo systemctl reload named
or
sudo systemctl restart named
Now, if you perform the same dig query again:
dig @localhost chaos version.bind
The output will reflect your new version string:
; <<>> DiG 9.16.1-Ubuntu <<>> @localhost chaos version.bind
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. IN TXT
;; ANSWER SECTION:
version.bind. 600 IN TXT "not configured"
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 14 10:05:00 UTC 2023
;; MSG SIZE rcvd: 58
Notice the TXT "not configured" line. The specific version number is gone, replaced by the string you defined. This makes it harder for an attacker to quickly fingerprint your BIND version and exploit known vulnerabilities.
Option 2: Completely disable the version query response
While the above method replaces the version string, you can also configure BIND to return no answer for this query, effectively "hiding" it more thoroughly. This is achieved by setting version to an empty string, or more commonly, by using allow-query-cache with a specific zone. However, the most direct way to prevent any response to version.bind is a bit more nuanced and often involves directly manipulating the DNS responses, which named.conf doesn’t directly support for Chaos class records in a simple way. The version "not configured"; approach is the standard and recommended method. If you truly want to prevent any response, you’d typically resort to firewall rules or more advanced BIND configurations that might involve ACLs or specific response policies, but the version "string"; directive is the primary mechanism for controlling the advertised version.
It’s important to understand that this is a security through obscurity measure. It doesn’t fix any underlying vulnerabilities in BIND itself. Keeping your BIND software up-to-date with the latest patches and security advisories is paramount. This version hiding is simply an extra layer to make your server a less attractive or easier target.
The most common mistake people make after hiding their BIND version is assuming their DNS server is now "invincible." The next thing an attacker will try is probing for other services or misconfigurations that might reveal vulnerabilities, such as misconfigured zone transfers or weak DNSSEC implementations.