ISS scanner and BIND 9 (AUTHORS.BIND)
Dan Stetser
dan.stetser at gmail.com
Sat Feb 11 00:50:28 UTC 2006
Try
options {
version "";
};
It's cleared some ISS false pos reports for us.....
HTH
On 2/7/06, Bischof, Ralph <Ralph.Bischof at nasa.gov> wrote:
>
> Hello,
>
> I have a 9.3.1 build of BIND running on a Red Hat Enterprise
> Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/) to
> discover and mitigate any vulnerabilities on the system before I can
> connect it to the network. When I ran a scan of my box, I found the
> below Medium vulnerability that I need to do something about.
>
> Vulnerability Details:
> M BindHostnameDisclosure: BIND hostname disclosure
> BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
> Unix systems. BIND versions 9.0 and later could allow
> a remote attacker to obtain sensitive information. By sending
> specially-crafted DNS query for the record AUTHORS.BIND a remote
> attacker may learn the BIND software version and the hostname of the DNS
> server. This information could be helpful in launching
> further attacks.
> Remedy:
> No remedy available as of January 2005.
>
> I know I use the "version" named.conf statement with BIND8 to
> hide the version. Would it also help to put this statement in with my
> BIND9 build? Something like...
>
> options {
> version "unknown";
> };
>
> I appreciate any help! If it's not possible to mitigate this
> through the configuration, I am thinking that I can make a definitive
> argument that I *already* advertise the hostname of the server to the
> Internet public, therefore it's a non-issue.
>
> Thank you,
> --
> Ralph F. Bischof, Jr.
> Any opinion within this communication is not necessarily that of NASA.
> PGP Key - http://pgpkeys.hq.nasa.gov
>
>
>
>
More information about the bind-users
mailing list