Categories
SysOps

How to display BIND version and hide it

Display the BIND version and learn how to hide it.

Query a specific BIND server for a TXT resource record in class 3 (CHAOS) for the version.bind domain name using nslookup utility.

$ nslookup -q=txt -class=CHAOS version.bind 10.10.10.10
Server:         10.10.10.10
Address:        10.10.10.10#53

version.bind    text = "9.16.15-Debian"

Use dig to get the same information.

$ dig chaos txt version.bind +short @10.10.10.10 
"9.16.15-Debian"

But wait, there is more…

Display server hostname.

$ dig chaos txt hostname.bind +short @10.10.10.10 
"ad.octocat.lab"

Display BIND authors.

$ dig chaos txt authors.bind +short @10.10.10.10 
"Brian Wellington"
"Bob Halley"
"Damien Neil"
"Andreas Gustafsson"
"Ben Cottrell"
"Evan Hunt"
"Mark Andrews"
"Scott Mann"
"James Brister"
"Matt Nelson"
"Michael Graff"
"Curtis Blackburn"
"Witold Krecicki"
"JINMEI Tatuya"
"David Lawrence"
"John H. DuBois III"
"Danny Mayer"
"Michael Sawyer"
"Francis Dupont"
"Jeremy C. Reed"

Display server id (not defined).

$ dig chaos txt id.server +short @10.10.10.10

Edit BIND options to alter these values.

$ cat /etc/bind/named.conf.options 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on port 54 { 127.0.0.1; };

        version "[Redacted]";
        hostname "[Redacted]";
        server-id "[Redacted]";

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

Restart DNS server.

$ sudo systemctl restart named

Query BIND version again.

$ dig chaos txt version.bind +short @10.10.10.10
"[Redacted]"

Additional notes

Requirements for a Mechanism Identifying a Name Server Instance