Hiding Your BIND Version

Previous page
Table of content
Next page

As described in Chapter 5, "Using Dig and nslookup," you can use a command such as

 $ dig CHAOS version.bind TXT

to determine the version of your BIND. This can be considered a security risk. And indeed, it makes determining your BIND version easier, which might be a risk when a new security problem in BIND gets published. In named.conf enter the following:

 options {     …     version "Wouldn't you like to know?";     … };

Of course, such an answer might inflame the temper of any attacker rather than stop the attack, so you might want to choose other language, or set it to blank. It has been argued that if the version string returned shows that you're using the latest, no-known-weaknesses BIND, the attacker will go on to the next target. On the other hand, if you conceal your version, the attacker will direct the whole arsenal of BIND compromise tools toward your server. But now we're into the realm of second-guessing the attacker. Do what you feel most comfortable with.

Earlier versions of BIND required you to set up a zone of class Chaos instead of the default IN, called bind. They also required you to define a CHAOS TXT record for the name version.bind, replacing the default one. That no longer works, which is just as well because the new way is less work.

Previous page
Table of content
Next page
The Concise Guide to DNS and BIND
The Concise Guide to DNS and BIND
ISBN: 0789722739
EAN: 2147483647
Year: 1999
Pages: 183
Authors: Nicolai Langfeldt
BUY ON AMAZON
Project Management JumpStart
CISSP Exam Cram 2
Cisco CallManager Fundamentals (2nd Edition)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy