Disable Bind's response to version queries and zone xfer requests
Ronald Procopio
RonaldMarkProcopio at netscape.net
Tue Aug 17 01:41:42 UTC 1999
Under Bind 4 there is an option called SECURE_ZONE (yes I know there is
an underline - I belive that's right) that you can use in the BIND zone
file to limit transfer and queries of that specific zone.
I don't remember the network syntax whther it listed subnets or used the
/ notations but it was like this:
SECURE_ZONE IN TXT "subnet"
bind-users at progressive-comp.com wrote:
>
> On 1999-08-04, Barry Margolin <barmar at bbnplanet.com> wrote:
>
> > In article <FCFEEAA0D131D311BDD000805FA70AEC49633C at cljfsdw1.GrandForks.a
> > f.mil>, Villella, James <James.Villella at grandforks.af.mil> wrote:
> > > Bind v4.9.7 running on WinNT
> > >
> > > I need to configure it so that it will not return a version number,
> > > and so that it will not honor zone xfer requests.
>
> > I think the only way to get it not to respond to the version query is
> > by patching the source code. It's a hard-coded feature and there's no
> > runtime configuration of it.
>
> [ In which case: James, are you able to recompile bind on your NT box? ]
>
> You could try a rather neat trick proposed last year by LaMont Jones on
> Bugtraq: basically create a dummy 'bind' zone and restrict access to it:
>
> http://www.progressive-comp.com/Lists/?l=bugtraq&m=90221103125895&w=2
>
> Note that he's discussing doing so under bind 8 -- it's been long enough
> since I spent much time on bind 4 that I can't remember at the moment if it
> supports what you need to make this work (setting allow-query on a per-zone
> basis). For that matter, I've never tested the above, since I had been
> using patched bind's for a long time before reading his suggestion. But,
> it is a neat trick.
>
> --
> Hank Leininger <hlein at progressive-comp.com>
>
More information about the bind-users
mailing list