BIND9, ISS and AUTHORS.BIND

Tue Feb 7 20:16:21 UTC 2006

> 
> > Well, you can always create a "bind" zone of type CH and 
> > populate this with information that will satisfy the ISS 
> > scanner.  A very good example of this can be found in the 
> > "Secure BIND Template" at 
> > http://www.cymru.com/Documents/secure-bind-template.html.  
> > This can hide both the "version.bind" and "authors.bind" information.
> 
> Sweet. Thank you.
> 
> > Does hiding the version of BIND 
> > that is running make any difference in the security of the 
> > system?
> ...
> >  My opinion is that many (not all) computer security 
> > "professionals" simply follow a set of check lists without 
> > understanding the underlying reasons why the check lists were created.
> 
> I believe you have crystal balled into my environment.

A disadvantage of the "Secure BIND Template" in this regard is that
the BIND version string is hardcoded and thus is subject to being
out of sync after an upgrade of the BIND software.

If you're content with the default values and simply want to limit
the information to internal queries, the following view will suffice
(thanks to Mark Andrews for idea):

view "refuse_chaos" chaos {
        #
        # The BIND name server defines an internal view called "_bind"
        # in which data for the following special queries are coded
        # directly into the `named' program:
        #
        #   dig @localhost version.bind chaos txt +norec   # BIND version
        #   dig @localhost authors.bind chaos txt +norec   # BIND authors
        #
        # The site auditing policy requires that the BIND name server
        # daemon not reveal it version information to outside parties.
        # Since the internal "_bind" view is matched last, this view
        # ("refuse_chaos") will match external queries for any RRs in
        # the CHAOS class and return a status code of REFUSED.
        #
        match-clients { !authorized-nets;
                        any;
        };
        recursion no;                 # Do not create a view-specific cache.
        allow-query { none; };

        # min-roots 0;                # Not yet implemented by BIND 9.
                                      # Therefore:
        zone "." {                    # Since BIND wants every view to have a
                type hint;            # root hint zone, this declaration will
                file "/dev/null";     # stop a warning message in the syslog.
        };

};      # end view "refuse_chaos"

------
Andris