BIND9, ISS and AUTHORS.BIND
Bischof, Ralph
Ralph.Bischof at nasa.gov
Tue Feb 7 15:25:31 UTC 2006
Hello,
I have a 9.3.1 build of BIND running on a Red Hat Enterprise
Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/) to
discover and mitigate any vulnerabilities on the system before I can
connect it to the network. When I ran a scan of my box, I found the
below Medium vulnerability that I need to do something about.
Vulnerability Details:
M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
Internet Name Daemon) is the Domain Name Service for Unix systems. BIND
versions 9.0 and later could allow a remote attacker to obtain sensitive
information. By sending specially-crafted DNS query for the record
AUTHORS.BIND a remote attacker may learn the BIND software version and
the hostname of the DNS server. This information could be helpful in
launching further attacks.
Remedy:
No remedy available as of January 2005.
I know I use the "version" named.conf statement with BIND8 to
hide the version. Would it also help to put this statement in with my
BIND9 build? Something like...
options {
version "unknown";
};
I appreciate any help! If it's not possible to mitigate this
through the configuration, I am thinking that I can make a definitive
argument that I *already* advertise the hostname of the server to the
Internet public, therefore it's a non-issue.
Thank you,
--
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key - http://pgpkeys.hq.nasa.gov
More information about the bind-users
mailing list