check and hide BIND version

Nowadays, the security of a Linux server starts with the security of each application. Running an outdated software version (Apache, MySQL, Exim, Bind) would leave your server vulnerable, as many of those old version have a bunch of security issues. This is why a good starting point would be to hide your services versions, as this information can be useful to an attacker, to focus on the specific version that you are running.

BIND (or named) is the most commonly used DNS (Domain Name Server) on the Internet. Many BIND version are vulnerable to different types of attacks, and this is why we will focus this small tutorial on how to hide your BIND version, on the Chaos class (CH):

[dragos@dragos-laptop ~]$ dig -c CH -t txt version.bind

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> -c CH -t txt version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65190
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;version.bind.            CH    TXT

version.bind.        0    CH    TXT    “9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2”

version.bind.        0    CH    NS    version.bind.

;; Query time: 38 msec
;; WHEN: Sun Nov 14 00:09:19 2010
;; MSG SIZE  rcvd: 91

As you can see on the output the version that I’m running on one of my servers is 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2. This could help an attacker to focus his ‘work’ on this version’s vulnerabilities (if any), and this is why I will hide to version, at least to make his work less easy.

For this you will need to open the configuration file of the BIND service (since I’m running it on a chroot environment the path for it is /var/named/chroot/etc/named.conf), and find the option directive. Here I will add a new entry with this format: version “desired string”; .

vi /var/named/chroot/etc/named.conf

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
version “Try again, fail again. Fail better.”;
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below.  Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
// query-source address * port 53;

Finally, save and restart the DNS server and perform the same query again:

[root@server ~]# service named reload
Reloading named:                                           [  OK  ]

[dragos@dragos-laptop ~]$ dig -c CH -t txt version.bind +short
“Try again, fail again. Fail better.”